Compare Log Messages by Day of the Week

To get the day of the week from your logs, you can reference your log's timestamps, which are stored as the metadata field _messageTime. You can also parse out any dates in your logs and use the formatDate operator to get the day of the week.

Beginning with the _messageTime field, you can determine the day of the week, and then remove the days you do not want using the formatDate operator. This example query provides results only for Mondays:

| formatDate(_messagetime, "EEE") as day
| where day="Mon"

This example query provides only weekday results:

| formatDate(_messagetime, "EEE") as day
| where !(day="Sat" or day="Sun")

If you do not use _messageTime, and instead parse out another timestamp, you can convert it to milliseconds and determine the day this way:

| parseDate(parsedtime, "MM/dd/yyyy HH:mm:ss a") as inMillis