...
_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":*," as status | where status >= 400 and status < 500 != 401 and status != 401404 and status < 500 | count by status, uri | sort by _count
This query matches our 4XX alarm. All requests that had a 4XX error, except 401s (which are surprisingly common) .and 404s (frequent bot-scan failures), and orders them by most frequent code & URI combination
_source=BridgeServer2-Prod MetricsFilter | parse "\"status\":," as status | where status >= 400 and status < 500 and status != 401 | parse "\"remote_address\":\"\"" as ipAddress | count by ipAddress | order by _count desc
...