Log Anomaly Basics
Anomaly detection starts with simple baselines. Group logs by hour and compare spikes in 4xx/5xx errors.
Signals to watch
- Sudden 5xx spikes
- Repeated 429 or 403 codes
- Burst traffic from a single IP
- Top URIs changing unexpectedly
How to check quickly
- Run Status Codes by Hour recipe.
- Compare the top URIs list across hours.
- Inspect the IPs during the spike window.