Lab 11 - Identify "out of the ordinary" Events

Explore the functionality of the outlier operator, which allows you to identify events outside of a threshold.

1. Search your Labs/Apache/Access logs looking for status_code 404 for  the last 60 minutes.

2. Slice your 60 minutes by 1-minute increments and count your 404 status codes by timeslice.

3. Identify outliers outside of the 3 standard deviations and plot results on a line graph.

4. Test the same with outliers outside of 1 standard deviation. Chart on a line graph.

_sourceCategory=Labs/Apache/Access status_code=404

| timeslice 1m

| count(status_code) as error_count by _timeslice

| outlier error_count window=10, consecutive=1, threshold=3, direction=+-

5. Bonus: Edit the parameters for window, consecutive, threshold, and direction to see the change in behavior.