Analyzing HTTP Status Code Distribution in Logs

HTTP Status Code Analysis

Web server access logs (Apache, Nginx) contain HTTP status codes that tell the story of your application's health. By parsing these logs and examining the severity distribution, you can quickly assess error rates and identify problematic patterns.

Status Code to Severity Mapping

The parser maps HTTP status codes to severity levels:

Status Range	Severity	Meaning
2xx	INFO	Successful responses
3xx	INFO	Redirects (normal behavior)
4xx	WARN	Client errors (bad requests, not found, unauthorized)
5xx	ERROR	Server errors (internal errors, timeouts, bad gateway)

Common Problem Patterns

High 404 Rate:

192.168.1.1 - - [15/Jan/2024:10:30:00 +0000] "GET /old-page HTTP/1.1" 404 162 ...
192.168.1.2 - - [15/Jan/2024:10:30:01 +0000] "GET /api/v1/users HTTP/1.1" 404 89 ...

A spike in 404s may indicate broken links after a deployment, removed API endpoints, or bot scanning for vulnerabilities.

502/504 Errors:

10.0.0.5 - - [15/Jan/2024:10:30:00 +0000] "POST /api/submit HTTP/1.1" 502 0 ...
10.0.0.6 - - [15/Jan/2024:10:30:01 +0000] "GET /api/data HTTP/1.1" 504 0 ...

502 Bad Gateway and 504 Gateway Timeout typically indicate upstream service failures.

Analysis Workflow

1. Parse your access logs with the tool
2. Open the Statistics panel to see the overall severity distribution
3. Filter by ERROR severity to isolate 5xx responses
4. Search for specific status codes (e.g., "502") in the search box
5. Check timestamps to identify when errors started and if they correlate with deployments

Calculating Error Rate

From the statistics panel:

Error Rate = (ERROR count / Total entries) * 100

A healthy web application typically maintains an error rate below 1%. Rates above 5% during a time window suggest an active incident.