Dashboards & Visualizations

Quarter drop-down Splunk dashboard?

Inayath_khan
Path Finder

Hi Folks,

I have been working on creating a drop-down where 1Q should represent Jan,feb,march data...2Q= April, may, June data etc.....Also when I select 1Q as my drop-down below I should display Jan , Feb , march either in same panel or different.. Please guide me how I can achieve this??

Thanks in advance

0 Karma
1 Solution

niketn
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Inayath_khan correct answer to your question depends on what is your use case. If you want your input to show values as Q1, Q2... Current year Q3 and Q4 have not come. So ideally

(1) Either You should either Show, Current Quarter and Previous Quarter etc kind of information which keep on rolling as per current quarter.
(2) Or have first selection of year and then display the quarters which are valid as per current year quarters.

Also once you select a quarter do you want to pass on EPOCH time as earliest and latest filter or Quarter name directly to your SPL. This will depend on your data (EPOCH time should always work provided _time extraction is correct in your data).

Following the SPL that you can try for

1) Option 1:

| makeresults 
| fields - _time 
| eval Label="Current Quarter", TimeEarliest=relative_time(now(),"@q-1q"),TimeLatest=relative_time(now(),"@q") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="1 Quarter Ago",TimeEarliest=relative_time(now(),"@q-2q"),TimeLatest=relative_time(now(),"@q-1q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="2 Quarter Ago",TimeEarliest=relative_time(now(),"@q-3q"),TimeLatest=relative_time(now(),"@q-2q")
        ]
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="3 Quarter Ago",TimeEarliest=relative_time(now(),"@q-4q"),TimeLatest=relative_time(now(),"@q-3q")
        ]

and Option 2)

| makeresults 
| fields - _time 
| eval Label="Q1 (prev year)", TimeEarliest=relative_time(now(),"-1y@y+0q"),TimeLatest=relative_time(now(),"-1y@y+1q-1s") 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q2 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+1q"),TimeLatest=relative_time(now(),"-1y@y+2q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q3 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+2q"),TimeLatest=relative_time(now(),"-1y@y+3q-1s")
        ] 
| append 
    [| makeresults 
    | fields - _time 
    | eval Label="Q4 (prev year)",TimeEarliest=relative_time(now(),"-1y@y+3q"),TimeLatest=relative_time(now(),"-1y@y+4q-1s")
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Inayath_khan
Path Finder

Thanks buddy this helped me.

0 Karma

niketn
Legend

@Inayath_khan I have converted my comment to answer. Please accept if your issue has been resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...