Explore the functionality of the outlier operator, which allows you to identify events outside of a threshold.
Search your Labs/Apache/Access logs looking for status_code 404 for the last 60 minutes.
Slice your 60 minutes by 1-minute increments and count your 404 status codes by timeslice.
Identify outliers outside of the 3 standard deviations and plot results on a line graph.
Test the same with outliers outside of 1 standard deviation. Chart on a line graph.
| timeslice 1m
| count(status_code) as error_count by _timeslice
| outlier error_count window=10, consecutive=1, threshold=3, direction=+-
Bonus: Edit the parameters for window, consecutive, threshold, and direction to see the change in behavior.