- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a requirement where my fiscal year starts in 1st SEP and my day starts counting at 7am and ends at the next day 7am instead of the usual 23:59:59.
Is there any way I can redefine what is a day in Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've come to realised that the best method is to use the calculated fields to create a new set of timedata:
- fiscalTime
- fiscalDate
- fiscalYear
- fiscalHr etc
This is accomplished using the relative_time commands. For example,
- | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
- | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on
This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've come to realised that the best method is to use the calculated fields to create a new set of timedata:
- fiscalTime
- fiscalDate
- fiscalYear
- fiscalHr etc
This is accomplished using the relative_time commands. For example,
- | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
- | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on
This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This is what I suggested to group months starting by the 15th instead of the 1st:
You can apply the same logic and use something like:
index=_internal
| eval mytime = if(date_hour<7, _time-(7*60*60), _time)
| bucket mytime span=1d
| eval day = strftime(mytime, "%d")
| table _time, date_hour, date_mday, day
Where day will be your reference day (I chose to use the two-digit representation but you can change that). See this.
Hope that helps.
EDIT: You don't even need the bucket line unless you are going to be charting using mytime. Removing this will make your query faster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the direction! I believe this is something I am looking for. I will try it out and see if it works well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stevelim,
there is no such thing as redefining days. What you can do, however, is adjusting the time in your search, by using the bin command.
http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/SearchTimeModifiers
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12:00 AM) and subtracts 2 hours from that time.
In your situation, I would try something like: | bin earliest=@d+7h
Is this helpfull to you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This helps in the sense that it allows me to custom define the time range picker to increase the performance of my search be zooming in the exact fiscal week for the events. I believe with the recommendations by javiergn, I can achieve the results I want.
