Dashboards & Visualizations

Quarter drop-down Splunk dashboard?

Inayath_khan
Path Finder

Hi Folks,

I have been working on creating a drop-down where 1Q should represent Jan,feb,march data...2Q= April, may, June data etc.....Also when I select 1Q as my drop-down below I should display Jan , Feb , march either in same panel or different.. Please guide me how I can achieve this??

Thanks in advance

0 Karma
1 Solution

niketn
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Inayath_khan
Path Finder

Thanks buddy this helped me.

0 Karma

niketn
Legend

@Inayath_khan I have converted my comment to answer. Please accept if your issue has been resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...