Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to redefine the start of the fiscal year (September 1st) and start of the day (7:00AM) in Splunk?

Stevelim
Communicator
‎02-04-2016 12:44 AM

I have a requirement where my fiscal year starts in 1st SEP and my day starts counting at 7am and ends at the next day 7am instead of the usual 23:59:59.

Is there any way I can redefine what is a day in Splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stevelim
Communicator
‎02-16-2016 12:52 AM

I've come to realised that the best method is to use the calculated fields to create a new set of timedata:

  1. fiscalTime
  2. fiscalDate
  3. fiscalYear
  4. fiscalHr etc

This is accomplished using the relative_time commands. For example,

  • | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
  • | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on

This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stevelim
Communicator
‎02-16-2016 12:52 AM

I've come to realised that the best method is to use the calculated fields to create a new set of timedata:

  1. fiscalTime
  2. fiscalDate
  3. fiscalYear
  4. fiscalHr etc

This is accomplished using the relative_time commands. For example,

  • | eval fiscallogWeek = strftime(_time,"@y-3mon),"%U")
  • | eval fiscaltime = strftime(_time-7*60*60, "%H:%M:%S.%3N") and so on

This allows you to resuse all the splunk commands making sure you are using the new set of time data created. Hope this helps anyone in the same situation.

Reply
Solved! Jump to solution

javiergn
Super Champion
‎02-04-2016 12:03 PM

Hi,

This is what I suggested to group months starting by the 15th instead of the 1st:

https://answers.splunk.com/answers/350544/how-do-i-create-a-timechart-by-month-but-starting.html#ans...

You can apply the same logic and use something like:

index=_internal
| eval mytime = if(date_hour<7, _time-(7*60*60), _time)
| bucket mytime span=1d
| eval day = strftime(mytime, "%d")
| table _time, date_hour, date_mday, day

Where day will be your reference day (I chose to use the two-digit representation but you can change that). See this.

Hope that helps.

EDIT: You don't even need the bucket line unless you are going to be charting using mytime. Removing this will make your query faster.

Reply
Solved! Jump to solution

Stevelim
Communicator
‎02-10-2016 08:48 PM

Thank you for the direction! I believe this is something I am looking for. I will try it out and see if it works well.

0 Karma
Reply
Solved! Jump to solution

renems
Communicator
‎02-04-2016 12:58 AM

Hi Stevelim,

there is no such thing as redefining days. What you can do, however, is adjusting the time in your search, by using the bin command.

http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/SearchTimeModifiers
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12:00 AM) and subtracts 2 hours from that time.

In your situation, I would try something like: | bin earliest=@d+7h

Is this helpfull to you?

Reply
Solved! Jump to solution

Stevelim
Communicator
‎02-10-2016 08:49 PM

This helps in the sense that it allows me to custom define the time range picker to increase the performance of my search be zooming in the exact fiscal week for the events. I believe with the recommendations by javiergn, I can achieve the results I want.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...