Guys, I have further question regarding this. How if I have group by in the time chart in your example? Is that possible to identify the outlier for each single http_status in this case?
index=paloalto event_id=globalprotectgateway-auth-fail
| timechart count span=10m by http_status
| streamstats window=12 avg(count) as avg, stdev(count) as stdev
| eval multiplier = 2
| eval lower_bound = avg - (stdev * multiplier)
| eval upper_bound = avg + (stdev * multiplier)
| fields - multiplier stdev
| eval isOutlier = if(count > upper_bound OR count < lower_bound, 5, 0)
... View more