I would like to get the average of a measure depending on the day of the week (monday, tuesday,...) and this for a dedicated period.
I am able to retrieve the day of the week corresponding to an event (date_wday) , but I am not able to know the number of Mondays , Tuesdays,.... in the period (e.g month) and thus the results I get are not relevant.
Does anyone have an idea ?
Thanks in advance
Note that the
date_* are only available for events where the timestamp processor has been invoked, which is not the case with for instance WinEventLog:* events.
Thanks for your answer , but I'm still not able to get the right result
When I enter :
base search | stats count by date_wday
(with date range = "May 2012")
I have :
friday : 13772
monday : 17780
saturday : 16389
sunday : 20548
thursday : 18187
tuesday : 15488
When I enter :
base search | stats avg(count) by date_wday
I have 0 for all the days of the week
Do your events have a numeric field called
count? If not then computing its average would be pointless.
Your first search counts the number of events without looking at any fields or their average.
I can enter also
| stats count(Incident) by date_wday which gives me the same result as I need the number of events and if I enter :
| stats avg(count(Incident) by date_wday, I have still a null result for each day.
What should the result of
avg(count(Incident)) be for each week day? The average daily count, so if run over four weeks then a quarter of the total count?
Based on the assumption in my latest comment you can do this:
base search | bin span=1d _time | stats count dc(_time) as days by date_wday | eval average_count = count / days