https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142912#M39701 <P>Based on the assumption in my latest comment you can do this:</P> <PRE><CODE>base search | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days </CODE></PRE> Tue, 29 Apr 2014 12:57:46 GMT martin_mueller 2014-04-29T12:57:46Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904#M39693 <P>Hello </P> <P>I would like to get the average of a measure depending on the day of the week (monday, tuesday,...) and this for a dedicated period.</P> <P>I am able to retrieve the day of the week corresponding to an event (date_wday) , but I am not able to know the number of Mondays , Tuesdays,.... in the period (e.g month) and thus the results I get are not relevant.</P> <P>Does anyone have an idea ?</P> <P>Thanks in advance</P> <P>Loys </P> Fri, 25 Apr 2014 09:47:04 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904#M39693 loyslegrand 2014-04-25T09:47:04Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142905#M39694 <P>What's wrong with this?</P> <PRE><CODE>base search | stats avg(measure) by date_wday </CODE></PRE> Fri, 25 Apr 2014 10:35:11 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142905#M39694 martin_mueller 2014-04-25T10:35:11Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142906#M39695 <P>That should do the trick!</P> Fri, 25 Apr 2014 21:36:14 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142906#M39695 bsizemore 2014-04-25T21:36:14Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142907#M39696 <P>Note that the <CODE>date_*</CODE> are only available for events where the timestamp processor has been invoked, which is not the case with for instance WinEventLog:* events.</P> Sat, 26 Apr 2014 11:34:08 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142907#M39696 Ayn 2014-04-26T11:34:08Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142908#M39697 <P>Thanks for your answer , but I'm still not able to get the right result</P> <P>When I enter :</P> <P><CODE>base search | stats count by date_wday</CODE></P> <P>(with date range = "May 2012")</P> <P>I have :</P> <P>friday : 13772</P> <P>monday : 17780</P> <P>saturday : 16389</P> <P>sunday : 20548</P> <P>thursday : 18187</P> <P>tuesday : 15488</P> <P>wednesday :21458</P> <P>When I enter :</P> <PRE><CODE>base search | stats avg(count) by date_wday </CODE></PRE> <P>I have 0 for all the days of the week</P> <P>BRgds</P> <P>Loys</P> Tue, 29 Apr 2014 09:08:30 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142908#M39697 loyslegrand 2014-04-29T09:08:30Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142909#M39698 <P>Do your events have a numeric field called <CODE>count</CODE>? If not then computing its average would be pointless.</P> <P>Your first search counts the number of events without looking at any fields or their average.</P> Tue, 29 Apr 2014 09:31:16 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142909#M39698 martin_mueller 2014-04-29T09:31:16Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142910#M39699 <P>I can enter also <CODE>| stats count(Incident) by date_wday</CODE> which gives me the same result as I need the number of events and if I enter : <CODE>| stats avg(count(Incident) by date_wday</CODE>, I have still a null result for each day.</P> Tue, 29 Apr 2014 12:07:58 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142910#M39699 loyslegrand 2014-04-29T12:07:58Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142911#M39700 <P>What should the result of <CODE>avg(count(Incident))</CODE> be for each week day? The average daily count, so if run over four weeks then a quarter of the total count?</P> Tue, 29 Apr 2014 12:55:57 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142911#M39700 martin_mueller 2014-04-29T12:55:57Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142912#M39701 <P>Based on the assumption in my latest comment you can do this:</P> <PRE><CODE>base search | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days </CODE></PRE> Tue, 29 Apr 2014 12:57:46 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142912#M39701 martin_mueller 2014-04-29T12:57:46Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142913#M39702 <P>in May 2012 from which my data are from, there are 4 mondays for 17780 incidents =&gt; an average of 17780/4 = 4445 incidents on Mondays, and 5 Tuesdays for 15488 =&gt; an average of 15488/5 = 3097 incidents on Tuesdays</P> Tue, 29 Apr 2014 13:48:30 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142913#M39702 loyslegrand 2014-04-29T13:48:30Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142914#M39703 <P>Great Job - It works - Thanks a lot </P> <P>Loys</P> Tue, 29 Apr 2014 16:27:27 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142914#M39703 loyslegrand 2014-04-29T16:27:27Z https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142915#M39704 <P>Hi loyslegrand,</P> <P>My issue is that I have created a successful search for 1 category but need to know how to count for different category over week days and show them on one chart.</P> <P>base search category=* | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days</P> Tue, 29 Sep 2020 09:03:43 GMT https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142915#M39704 deepanram211219 2020-09-29T09:03:43Z