Dashboards & Visualizations

Is it possible to redefine the start of the fiscal year (September 1st) and start of the day (7:00AM) in Splunk?

Stevelim
Communicator

I have a requirement where my fiscal year starts in 1st SEP and my day starts counting at 7am and ends at the next day 7am instead of the usual 23:59:59.

Is there any way I can redefine what is a day in Splunk?

0 Karma
1 Solution

Stevelim
Communicator

I've come to realised that the best method is to use the calculated fields to create a new set of timedata:

  1. fiscalTime
  2. fiscalDate
  3. fiscalYear
  4. fiscalHr etc

This is accomplished using the relative_time commands. For example,

  • | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
  • | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on

This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.

View solution in original post

Stevelim
Communicator

I've come to realised that the best method is to use the calculated fields to create a new set of timedata:

  1. fiscalTime
  2. fiscalDate
  3. fiscalYear
  4. fiscalHr etc

This is accomplished using the relative_time commands. For example,

  • | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
  • | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on

This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.

javiergn
SplunkTrust
SplunkTrust

Hi,

This is what I suggested to group months starting by the 15th instead of the 1st:

https://answers.splunk.com/answers/350544/how-do-i-create-a-timechart-by-month-but-starting.html#ans...

You can apply the same logic and use something like:

index=_internal
| eval mytime = if(date_hour<7, _time-(7*60*60), _time)
| bucket mytime span=1d
| eval day = strftime(mytime, "%d")
| table _time, date_hour, date_mday, day

Where day will be your reference day (I chose to use the two-digit representation but you can change that). See this.

Hope that helps.

EDIT: You don't even need the bucket line unless you are going to be charting using mytime. Removing this will make your query faster.

Stevelim
Communicator

Thank you for the direction! I believe this is something I am looking for. I will try it out and see if it works well.

0 Karma

renems
Communicator

Hi Stevelim,

there is no such thing as redefining days. What you can do, however, is adjusting the time in your search, by using the bin command.

http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/SearchTimeModifiers
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12:00 AM) and subtracts 2 hours from that time.

In your situation, I would try something like: | bin earliest=@d+7h

Is this helpfull to you?

Stevelim
Communicator

This helps in the sense that it allows me to custom define the time range picker to increase the performance of my search be zooming in the exact fiscal week for the events. I believe with the recommendations by javiergn, I can achieve the results I want.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...