Dashboards & Visualizations

Quarter drop-down Splunk dashboard?

Inayath_khan
Path Finder

Hi Folks,

I have been working on creating a drop-down where 1Q should represent Jan,feb,march data...2Q= April, may, June data etc.....Also when I select 1Q as my drop-down below I should display Jan , Feb , march either in same panel or different.. Please guide me how I can achieve this??

Thanks in advance

0 Karma
1 Solution

niketnilay
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Inayath_khan
Path Finder

Thanks buddy this helped me.

0 Karma

niketnilay
Legend

@Inayath_khan I have converted my comment to answer. Please accept if your issue has been resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.