Re: showing results by yearly quarter

aadye · ‎01-28-2013

I'm very new to Splunk.

I have a requirement to display reports based on a last modified date, so in theory I would have a drop down for (Q1, Q2, Q3, Q4) and another for the years (2001, 2002, 2003...) My dates are stored in Month/Day/Year format.

Could somebody suggest the best way for me to go about this?

TIA

yannK · ‎01-28-2013

You can specify a specific timerange for you searches, but in your case you probably want to display results per quarter all together on the same panel.

So another solution is to define a field for you range, based on the timestamp
(check date_month, date_day, date_year, unfortunately the date_month is a text, it may be easier to extract it as a number.)

example if your quarter is per month

mysearch | convert TIMEFORMAT="%m" ctime(_time) AS month | eval quarter=date_year."-".case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4",1=1,"missing") | stats count by quarter | sort -quarter

aadye · ‎01-31-2013

I search and pass the time field piping that into your suggestion...
As an example I see results like below:
quarter | time
2011-Q3 | 8/19/2012 11:57:54 PM
2013-Q1 | 10/14/2005 6:22:37 PM

yannK · ‎01-29-2013

strange, verify that the timestamp detected by splunk is matching your timestamp in the event.

aadye · ‎01-29-2013

Thank for your reply, It appears to group all of my data into yyyy-Qx nicely, but I'm confused as to what is in the groups, for example in group Q1-2007 I see "2/12/2008 00:01:02". Do I need to tweek it for the format somehow?

TIA

showing results by yearly quarter

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!