Skip to main content
Sumo Logic

Lab 11 - Identify "out of the ordinary" Events

Explore the functionality of the outlier operator, which allows you to identify events outside of a threshold.

 

  1. Search your Labs/Apache/Access logs looking for status_code 404 for  the last 60 minutes.

  2. Slice your 60 minutes by 1-minute increments and count your 404 status codes by timeslice.

  3. Identify outliers outside of the 3 standard deviations and plot results on a line graph.

  4. Test the same with outliers outside of 1 standard deviation. Chart on a line graph.

_sourceCategory=Labs/Apache/Access status_code=404

| timeslice 1m

| count(status_code) as error_count by _timeslice

| outlier error_count window=10, consecutive=1, threshold=3, direction=+-

  1. Bonus: Edit the parameters for window, consecutive, threshold, and direction to see the change in behavior.

Image of outlier chart