Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Splunk SPL: Apache 404 Spike Detector (15m)

AI Crafted access_combined

Description

Submitted by AI Crafted

Detect sudden spikes in Apache 404 errors so you can triage broken links, scan noise, or misrouted traffic quickly.

What This Splunk Query Does

Finds 404 activity, builds a short baseline, and flags time buckets that exceed the baseline by 3x.

Supported Sourcetypes

0 0 
access_combined

When to Use This SPL

Use this during outage triage, after deploys, or when you suspect URL enumeration.

Splunk SPL Query

This Splunk query uses 

index=*
as a placeholder. Replace it with your actual index name.

index=* sourcetype=access_combined
| eval http_status=coalesce(status, sc_status)
| where http_status=404
| bin _time span=1m
| stats count as hits by _time
| eventstats avg(hits) as baseline
| eval spike=if(hits > baseline * 3, "spike", "normal")
| where spike="spike"
| timechart span=1m sum(hits) as hits

Assumptions and Customization

Assumes HTTP status is stored in 

status
or 
sc_status
. Tune the multiplier or add 
by host
for per-host spikes.

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom