text code block:`ollama_server` | rex field=_raw "\|\s+(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\|" | eval src=coalesce(src, client_ip) | eval dest=coalesce(dest, url, uripath, endpoint) | bin _time span=5m | stats count as request_count by _time, src, dest, host | where request_count > 120 | eval severity="high" | eval attack_type="Rate Limit Abuse / DDoS" | stats count by _time, host, src, dest, request_count, severity, attack_type | `ollama_excessive_api_requests_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).