@childroland if you are using Windows Performance Counter monitoring, you should be using the field Value instead of counter. Also how frequently are you collecting the performance data? Is it less than a second? You have converted the time to string time with seconds precision. Just wanted to know if you are actually collecting data every second or not. Even if you really needed to bucket time together every second, you should use | bin _time span=1s and retain time as epoch. Timechart will not work on string time.

Have you tried the following search:

index=perfmon collection=HTTP counter=CurrentConnections host=mp-bts-sa*
| bin _time span=1s
| stats avg(Value) as AvgByHost stdev(Value) as StDevbyHost by host, _time
| eval LowerBound=(AvgByHost-StDevByHost*2)
| eval UpperBound=(AvgByHost+StDevByHost*2)
| eval isOutlier=if(counter < LowerBound OR counter > UpperBound, 1,0)
| timechart span=1h count(isOutlier) by host

PS: | sort - isOutlier seems irrelevant if you are creating timechart which needs chart sorted by _time.

However, if you are interested in calculating standard deviation based outliers I would suggest you to try out Detect Numerical Outliers Showcase Experiment from the Machine Learning Toolkit app (requires Python For Scientific Computing add on as a pre-requisite depending on the type of OS). The example lists three algorithms:

1. Standard deviation
2. Median absolute deviation
3. Interquartile range

Following is an example of Standard Deviation algorithm which you can try. For sampling I have used the following limits, which you need to adjust as per your use case.

index="perfmon" collection=HTTP counter=CurrentConnections host=mp-bts-sa* 
| timechart span=60s avg(Value) as connections 
| streamstats window=3600 current=true avg("connections") as avg stdev("connections") as stdev 
| eval lowerBound=(avg-stdev*1.5), upperBound=(avg+stdev*1.5)
| eval isOutlier=if('connections' < lowerBound OR 'connections' > upperBound, 1, 0)
| fields _time, "connections", lowerBound, upperBound, isOutlier

1. average data collected every 60 seconds is taken as input value i.e. span=60s.
2. a sliding window of 3600 seconds (1 hour) is taken as sliding time interval i.e. window=3600.
3. a multiplier of 1.5 is to get the standard deviation (SD) value somewhere between 1st SD and 2nd SD.

If you create chart overlay of isOutlier field you can plot the outliers along with actual value and upper/lower bounds. Refer to one of my recent answer with Chart Overlay and Series Compare (available in Splunk 7.x): https://answers.splunk.com/answers/752153/building-a-dashboard-to-help-tune-our-network-sens.html

Also one of the older answers using Median Absolute Deviation method for outlier detection and plotting through Overlay on an Area Chart (line chart is also possible): https://answers.splunk.com/answers/747177/how-to-add-a-reference-line-to-an-outlier-chart-cr.html