Trying to find anomalies for events. I have multiple services and multiple customers. I have an error "bucket" that is caputuring events for failures, exceeded, notified, etc. I'm looking for a way to identify when there are anomalies or outliers for each of the services/customers. I have combined (eval) service, customer, and the error and just counting the number of error events generated by each service/customer. So for example: svcA svcB svcC custA custB custC would give svcA-custA-failures 10 svcA-custA-exceeded 5 svcA-custA-notified 25 svcB-custA-failures 11 svcB-custA-exceeded 9 svcB-custA-notified 33 svcB-custB-failures 3 svcA-custB-exceeded 7 svcA-custB-notified 22 svcA-custC-exceeded 8 svcA-custC-failures 3 svcA-custC-notified 267 svcC-custC-exceeded 1 svcC-custC-failures 4 svcC-custB-notified 145 svcC-custA-notified 17 Something along the lines of this: | eval Svc-Cust-Evnt=Svc."-".Cust."-".Evnt | stats sum(error) by Svc-Cust-Evnt | rename sum(error) as count | sort -count
... View more