Similar to stephanefotso I'd look at the eventstats command
index=websrv sourcetype=iis NOT (whatever) | stats count as hits by c_ip | eventstats avg(hits) as avg_hits stdev(count) as stdev_hits | where hits > avg_hits * (stdev * 2)
I think I have that right; been a while since I've used stdev. Of course based on volume of traffic you could start by simply looking at where hits > avg_hits.
... View more