Anomaly Detection Monitors

How do I make a standard deviation anomaly detection monitor?

You can use OPAL to calculate a daily count, running median, and running standard deviation from a series of values. You can then measure current values against the running historical median to determine if an alert should be fired.

timechart 1d, daily_count:count_distinct_exact(block), group_by()
make_event
make_col runningAvg:window(avg(daily_count), frame(back:7d)),
runningStdev:window(stddev(daily_count), frame(back:7d))
make_col daily_drift:(daily_count - runningAvg > runningStdev*2) OR (daily_count + runningAvg < runningStdev*2)
make_col message:"The block has returned an unusual number of events based on recent running averages."
filter daily_drift=true