Simple Outlier Search

error |stats count by host| eventstats avg(count) as avg stdevp(count) as stdevp | eval ub=avg+2*stdevp, lb=avg-2*stdevp, is_outlier=if(count<lb, 1, if(count>ub, 1, 0)) | where is_outlier=1


Find outliers - hosts that have an error count which is greater than two standard deviations away from the mean.


hosts with errors. alternatively, you can alter the search (before pipe) to source just about anything else that you'd like to analyze.