Dashboards & Visualizations

Divide by quarter

appleman
Contributor

Hello,

In my search, I configured time as the following format %Y%m to see the trends every month over a year.
If I want to count by quarter since I can't see the time(date) how do I define it? (timerange is set "alltime")
Additionally, if it's possible, I want to add a custom timerange picker to pick each quarter, so I want to know if I can do it in splunk 6 dashboard.

Thank you.


「年/月」と定義した時間をタイムチャートで表示した時、情報量が多くて時間が隠れてしまいます。
これをクウォーターごとに区切ってカウントしたい場合はサーチ文で分割することは可能でしょうか。タイムレンジは傾向が見たいので、なるべく全時間をしても綺麗に結果が出せるようにしたいです。

尚、クウォーターが選択できるカスタムタイムレンジピッカーをsplunk6で作成する方法はございますでしょうか。

My search: index=mdm source=*idm_device cid=* | eval enrolled=strftime(enrolled_date, "%Y/%m") | chart count by enrolled_type

alt text

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

index=mdm source=*idm_device cid=* | eval enrolled=strftime(enrolled_date,"%Y")."-Q".(round(tonumber(strftime(enrolled_date,"%m"))/3)+ 1) | chart count by enrolled

View solution in original post

eashwar
Communicator

Hello Brother,

Its very simple and straight forward

| timechart span=qtr count by enrolled_type

If you need to view a report for exactly last 6 quarters

in the advance time range set the below

earliest=-6qtr@qtr latest=-qtr@qtr

Thanks, and Happy splunking bro !!

Vote for the answer if it really helps you, thanks again

somesoni2
SplunkTrust
SplunkTrust

Try this

index=mdm source=*idm_device cid=* | eval enrolled=strftime(enrolled_date,"%Y")."-Q".(round(tonumber(strftime(enrolled_date,"%m"))/3)+ 1) | chart count by enrolled

appleman
Contributor

I've got this result. Unfortunately, this is not what I want....

alt text

0 Karma

appleman
Contributor

Yes, that's correct.

0 Karma

melonman
Motivator

Oh, that's because there is no data? so you have data for 2011 - 2012 but there is no result for timechart span=3mon count?

0 Karma

appleman
Contributor

The result above is missing 2011 through 2012 data while I could see them if I didn't divide by span=3mon.
And what I want to try most is show x axis as like "2011-Q1", "2011-Q2".... and so on.

0 Karma

melonman
Motivator

how would you like to display? could you help me understand?

0 Karma

appleman
Contributor

I've got this result. Unfortunately, this is not what I want....

alt text

0 Karma

melonman
Motivator

Could you try this?

<your filter search> | timechart span=3mon count by enrolled_type
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...