This query is pretty awesome! It helped enlighten us to exactly when our splunk infrastructure is being hit with users

index=_internal sourcetype=splunk_web_access
 [ rest / splunk_server=local
 | fields splunk_server
 | rename splunk_server as host ]
 | bin _time span=1d
 | stats count by date_hour _time
 | appendpipe [ fields _time
 | dedup _time
 | eval date_hour=mvrange(0,24,1)
 | eval count=0
 | mvexpand date_hour ]
 | stats sum(count) as count by date_hour _time
 | stats avg(count) as avg by date_hour
 | sort date_hour

I found this at: https://gist.github.com/acharlieh/3254a7ab13297c760376
Credit goes to acharlieh!