What thresholds should I use?
All zones are different, and the appropriate threshold will depend on your typical traffic profile and needs.
Generally speaking, you can calculate a rough estimate of your normal traffic volume across your entire site by dividing the uncached requests over a 24-hour period by unique visitors for the same period. Then, divide that number by the estimated average length of a visit, in minutes, to give you a rough idea of average requests per client per minute. Multiplying that value by 4 (or larger) to establish a rough per-minute threshold for your entire site. If you are unsure, using a higher value is typically fine--most attacks are an order of magnitude above typical traffic rates.
To obtain a more specific threshold, you may wish to compare request rates over multiple days, or review individual days and base thresholds off peak traffic times.
For specific URLs, you should be able to calculate a similar value by reviewing your local access logs (or your Enterprise log share if you are an Enterprise customer)/unique clients logged for that URL. If you have not done so already, you should restore original IPs in your access logs.
You should set your threshold well above this value to account for clients that send more legitimate requests than both. While valid outlying client traffic patterns will vary per site, quadruple the average request rate is probably a good baseline to defend against attacks. You can then adjust the thresholds based on user reports and your own monitoring.
If you are actively under attack and are unsure how best to mitigate it, please file a support ticket and Cloudflare staff will help you review your traffic and make recommendations on appropriate thresholds.