Splunk Search

How to define the starting month of the year and original quarter periods (Apr - Jun, Jul - Sept, etc) in Splunk?

Splunk Employee
Splunk Employee

I’ve been trying to create a yearly/half-yearly/quarterly/monthly/weekly report by using timechart and span command.
Actually most of all Japanese companies' 1st quarter starts from April, so I would like to define original quarter term like as Apr-Jun, Jul-Sep, Oct-Dec,Jan-Mar. Based on this rule, year term also become from Apr to Mar, and half-year term must be from Apr to Sep and from Oct to Mar.
As long as using Splunk function, year starting month seems to be fixed as Jan and cannot be changed.

(Our basic Time Period)
Year Apr-Mar
Half-year Apr-Sep
Quarter Apr-Jun etc

(Search command) following commands are not applicable to above requirement.

… | timechart span=1y count as …
… | timechart span=6mon count as …
… | timechart span=1q count as …

I’ve tried to use following command, but it was not counted from Apr.

earliest=@y4 latest=@y3 | timechart 

Do you know the way to change the year starting date from A-Jan to 1-Apr, or if there is a better alternative, please let me know.

0 Karma

Path Finder

Old thread, I know, but here's an answer for anyone looking for this in the future.

Our fiscal year starts in October. I use the following in our DateTime Picker (defined in User Interface > Time Ranges😞

This Fiscal Year:         earliest=-3q@y+3q       latest=+q@y+3q
Previous Fiscal Year:     earliest=-y-3q@y+3q     latest=-y+q@y+3q

Haven't extensively tested it through a full year's range, but at least on paper it looks good, at least for those instances where the fiscal year boundary corresponds to a quarterly boundary. For This Fiscal Year, the calculation basically is to back up 3 quarters from the current date, snap to the year, and add 3 quarters to it; the latest is to add one quarter to the current date, get the year, and add 3 quarters to that. Previous FY just backs up a year before doing the same calculation.

e.g. #1: Jan 1, 2020, earliest = (Jan 1, 2020 - 3 quarters) = Mar 1, 2019 = snap to 2019 + 3 quarters = Oct 2019

e.g. #2: Sep 30, 2020, earliest = (Sep 30, 2020 - 3 quarters) = Dec 30, 2019 = snap to 2019 + 3 quarters = Oct 2019

Other examples and customizing for your fiscal year boundaries are left to the reader. But do let me know if you find a flaw with this approach!

0 Karma

Splunk Employee
Splunk Employee

Thank you for your prompt reply.
Unfortunately, we've not received the expected result, but we could find the appropriate command like as follows

convert TIMEFORMAT="%m" ctime(_time) AS month | eval
month<=12,date_year."年度後期",1=1,"missing") | chart count as "アクセス数" by
half period_search_name usenull=f useother=f

I appreciate your support.

0 Karma


Hi okakizaki [Splunk],

take a look at the docs of times.conf http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Timesconf and get details how to set a custom timerange.
you could use something like this -y@y+3mon@mon as earliest (will be last year 1st of April) and -y@y+6mon@mon as latest - adopt as needed.

Hope this helps ...

cheers, MuS

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!