Dashboards & Visualizations

showing results by yearly quarter

aadye
Explorer

I'm very new to Splunk.

I have a requirement to display reports based on a last modified date, so in theory I would have a drop down for (Q1, Q2, Q3, Q4) and another for the years (2001, 2002, 2003...) My dates are stored in Month/Day/Year format.

Could somebody suggest the best way for me to go about this?

TIA

Tags (2)

yannK
Splunk Employee
Splunk Employee

You can specify a specific timerange for you searches, but in your case you probably want to display results per quarter all together on the same panel.

So another solution is to define a field for you range, based on the timestamp
(check date_month, date_day, date_year, unfortunately the date_month is a text, it may be easier to extract it as a number.)

example if your quarter is per month

mysearch | convert TIMEFORMAT="%m" ctime(_time) AS month | eval quarter=date_year."-".case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4",1=1,"missing") | stats count by quarter | sort -quarter

aadye
Explorer

I search and pass the time field piping that into your suggestion...
As an example I see results like below:
quarter | time
2011-Q3 | 8/19/2012 11:57:54 PM
2013-Q1 | 10/14/2005 6:22:37 PM

0 Karma

yannK
Splunk Employee
Splunk Employee

strange, verify that the timestamp detected by splunk is matching your timestamp in the event.

0 Karma

aadye
Explorer

Thank for your reply, It appears to group all of my data into yyyy-Qx nicely, but I'm confused as to what is in the groups, for example in group Q1-2007 I see "2/12/2008 00:01:02". Do I need to tweek it for the format somehow?

TIA

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...