The 'Ollama Excessive API Requests' detection rule is designed to identify potential Distributed Denial of Service (DDoS) attacks or rate limit abuses targeting Ollama API endpoints by analyzing server logs for excessive request volumes from individual client IP addresses. The rule works with GIN-formatted logs from the Ollama server, focusing on client behaviors that produce abnormally high request rates within short time frames—indicative of automated attacks, botnet activities, or attempts to exhaust resources on local AI model infrastructures. The implementation of this rule involves setting up log ingestion through the Splunk TA-ollama add-on, which requires monitoring of Ollama server log directories and the capability for real-time analytics via HTTP Event Collector. It also incorporates thresholds that operators must fine-tune to avoid false positives from legitimate automated services, NAT users, or authorized load testing. The detection uses statistical analyses of request counts over 5-minute intervals to flag high-severity instances, providing potential detection outcomes for review and operational response.