Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Quarter drop-down Splunk dashboard?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks,
I have been working on creating a drop-down where 1Q should represent Jan,feb,march data...2Q= April, may, June data etc.....Also when I select 1Q as my drop-down below I should display Jan , Feb , march either in same panel or different.. Please guide me how I can achieve this??
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally
(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.
Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).
Following the SPL that you can try for
1) Option 1:
| makeresults
| fields - _time
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q")
| append
[| makeresults
| fields - _time
| eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
]
| append
[| makeresults
| fields - _time
| eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
]
| append
[| makeresults
| fields - _time
| eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
]
and Option 2)
| makeresults
| fields - _time
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s")
| append
[| makeresults
| fields - _time
| eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
]
| append
[| makeresults
| fields - _time
| eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
]
| append
[| makeresults
| fields - _time
| eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally
(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.
Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).
Following the SPL that you can try for
1) Option 1:
| makeresults
| fields - _time
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q")
| append
[| makeresults
| fields - _time
| eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
]
| append
[| makeresults
| fields - _time
| eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
]
| append
[| makeresults
| fields - _time
| eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
]
and Option 2)
| makeresults
| fields - _time
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s")
| append
[| makeresults
| fields - _time
| eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
]
| append
[| makeresults
| fields - _time
| eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
]
| append
[| makeresults
| fields - _time
| eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks buddy this helped me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Inayath_khan I have converted my comment to answer. Please accept if your issue has been resolved!
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
