Count by Day of Week

Craig_Ph · ‎04-28-2021

I am on Day 2 with Splunk.

I am trying to get the average number of records by Day of the Week (Mon, Tue, Wed, etc) of the specified timespan. I can get the total counts by Day of the Week, but I can't seem to get the average number of transactions per Day of the Week.

This gets me the total number of transactions for each day of the week in that timespan:
index=xxxxxxxxxxxxx
| eval day=strftime(_time,"%a")
| stats count by day

How do I get this to average out so that if I have 1000 records for Mondays and I have 4 Mondays in that timespan then I get the value to be 250?

I found this post from 2014, but I can't get that to work: https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904

bowesmana · ‎04-28-2021

try this

index=xxxxxxxx
| bin _time span=1d
| eval day=strftime(_time,"%a")
| stats dc(_time) as days count by day
| eval average_count = count / days

Count by Day of Week

eval

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation

Count by Day of Week

eval

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...