Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change timechart x-axis to quarters?

POR160893
Builder
‎03-01-2023 04:28 AM

Hi,

I have a timechart and the timeline on the X-axis must be in terms of quarters, i.e. like FY24Q1, FY24 Q2 etc.

Currently, this is my query:
(BASE SEARCH) | timechart span=1q count | eval Quarter=strftime(_time,"%Y") . "Q" . ceil((strftime(_time,"%m")+1)/3) | rename count as "Event Count" | fields Quarter, "Event Count"

However, I am receiving the following error:
Error in 'eval' command: Type checking failed. '+' only takes two strings or two numbers.

What can I do to solve this?


Thanks as always!

Labels (5)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 05:56 AM

The strftime function returns a string.  The error is complaining that eval can't add a number to a string.  Try this to convert the strftime output to a number.

 

| eval Quarter=strftime(_time,"%Y") . "Q" . ceil(tonumber(strftime(_time,"%m")))+1/3)

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

POR160893
Builder
‎03-01-2023 06:25 AM

When I used your suggestion as follows:
[BASE SEARCH]
| timechart span=1q count
| eval Quarter=strftime(_time,"%Y") . "Q" . ceil(tonumber(strftime(_time,"%m"))+1)/3)
| rename count as "Event Count" | fields Quarter, "Event Count",

 

I receive the following error:
Error in 'eval' command: The expression is malformed.

What can I do?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 06:52 AM

I misplaced a parenthesis.  Please try my revised answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

POR160893
Builder
‎03-01-2023 07:08 AM

So, at the moment, your updated query gives me this:

POR160893_0-1677683220101.png

The above query is as follows:
[BASE SEARCH]
| timechart span=1q count
| eval Quarter=strftime(_time,"%Y") . "Q" . ceil((tonumber(strftime(_time,"%m")))+1/3)
| rename count as "Event Count" | fields Quarter, "Event Count"

However, I need the individual days to be show WITH what ever quarter the day falls in.. So one timeline whose Year/Month/date and an overarching time to show what Quarter it falls.
Is this possible?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 07:22 AM

Timecharts support a single timeline on the X-axis.  Consider filing an enhancement request at https://ideas.splunk.com

Another thing to consider is using annotations to denote the quarters.  An annotation is a vertical line in the graph that marks when something happened.  It's not exactly what you're looking for, but may help.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Viz/ChartEventAnnotations for more information.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...