Solved: Re: Quarter drop-down Splunk dashboard?

Inayath_khan · ‎04-25-2020

Hi Folks,

I have been working on creating a drop-down where 1Q should represent Jan,feb,march data...2Q= April, may, June data etc.....Also when I select 1Q as my drop-down below I should display Jan , Feb , march either in same panel or different.. Please guide me how I can achieve this??

Thanks in advance

niketn · ‎04-26-2020

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎04-26-2020

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Inayath_khan · ‎04-29-2020

Thanks buddy this helped me.

niketn · ‎05-05-2020

@Inayath_khan I have converted my comment to answer. Please accept if your issue has been resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Quarter drop-down Splunk dashboard?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor