What would be the best way to search for anomalies/outliers for HTTP request character length by source IP? Looking for HTTP requests whose standard deviation may indicate a potential hack/indicator of compromise.
You can use MLTK for finding numeric outliers of URLs lenght
Also look at the DGA App for Splunk. It utilized MLTK to detect botnet traffic from internal network by finding auto-generated domain names.