Splunk SPL: Slowest Apache Requests (Top 50)

Surface the slowest Apache requests to focus performance tuning where it matters most.

What This Splunk Query Does

Sorts events by request duration and returns the slowest requests.

Supported Sourcetypes

access_combined

When to Use This SPL

Use this when users report latency or when you need to identify expensive endpoints.

Splunk SPL Query

This Splunk query uses

index=*

as a placeholder. Replace it with your actual index name.

index=* sourcetype=access_combined
| eval client_ip=coalesce(clientip, src_ip, c_ip)
| eval endpoint=coalesce(uri_path, uri, url, cs_uri_stem)
| eval response_time=coalesce(request_time, response_time, duration, time_taken)
| where isnotnull(response_time)
| eval response_time=tonumber(response_time)
| sort - response_time
| table _time host client_ip endpoint response_time status
| head 50

Assumptions and Customization

Assumes a duration field exists (for example

request_time

or

time_taken

). If your logs store microseconds, divide by 1000 or 1000000.