Splunk SPL: Apache 404 Spike Detector (15m)

Detect sudden spikes in Apache 404 errors so you can triage broken links, scan noise, or misrouted traffic quickly.

What This Splunk Query Does

Finds 404 activity, builds a short baseline, and flags time buckets that exceed the baseline by 3x.

Supported Sourcetypes

access_combined

When to Use This SPL

Use this during outage triage, after deploys, or when you suspect URL enumeration.

Splunk SPL Query

This Splunk query uses index=* as a placeholder. Replace it with your actual index name.

index=* sourcetype=access_combined
| eval http_status=coalesce(status, sc_status)
| where http_status=404
| bin _time span=1m
| stats count as hits by _time
| eventstats avg(hits) as baseline
| eval spike=if(hits > baseline * 3, "spike", "normal")
| where spike="spike"
| timechart span=1m sum(hits) as hits

Assumptions and Customization

Assumes HTTP status is stored in status or sc_status. Tune the multiplier or add by host for per-host spikes.