Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Splunk SPL: Apache Response Codes by Client IP (Top 20)

AI Crafted access_combined

Description

Submitted by AI Crafted

See which client IPs generate the most error-heavy response codes.

What This Splunk Query Does

Counts response codes by client IP and returns the top 20 offenders.

Supported Sourcetypes

0 0 
access_combined

When to Use This SPL

Use this to isolate noisy scanners, abusive IPs, or misconfigured clients.

Splunk SPL Query

This Splunk query uses 

index=*
as a placeholder. Replace it with your actual index name.

index=* sourcetype=access_combined
| eval client_ip=coalesce(clientip, src_ip, c_ip)
| eval http_status=coalesce(status, sc_status)
| where isnotnull(client_ip) AND isnotnull(http_status)
| stats count as hits by client_ip http_status
| sort - hits
| head 20

Assumptions and Customization

Assumes client IP is in 

clientip
, 
src_ip
, or 
c_ip
. Add 
by host
to split per server.

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom