i ended up using the below with anomaly detection which got me as close in the timeframe i had index=kubernetes app=nio env=prd tag=error | timechart span=1m count by app limit=0 | eventstats median("nio") as median | eval absDev=(abs('nio'-median)) | eventstats median(absDev) as medianAbsDev | eval lowerBound=(median-medianAbsDev*exact(4)), upperBound=(median+medianAbsDev*exact(3)) | eval isOutlier=if('nio' < lowerBound OR 'nio' > upperBound, 1, 0) | fields _time, "nio", lowerBound, upperBound, isOutlier, *
... View more