- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to set a bar chart by quarter?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following code that shows leases that end in June.
| inputlookup Leases.csv
| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| where Year = 2020 AND Month = 6
The requirement is to update the query to return leases ending by quarter i.e. Q1, Q2, Q3, Q4 2020 and display in a bar chart by quarter.
How can I do that? I don't know how to aggregate the data by quarter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| inputlookup Leases.csv
| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| eval Quater=ceil(tonumber(Month)/3)."Q"
| where Year="2020"
| stats max(timestamp) as timestamp by Quater
| convert ctime(timestamp)
but Bar Chart?
Bar should be numeric. not string or text.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| inputlookup Leases.csv
| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| eval Quater=ceil(tonumber(Month)/3)."Q"
| where Year="2020"
| stats max(timestamp) as timestamp by Quater
| convert ctime(timestamp)
but Bar Chart?
Bar should be numeric. not string or text.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is great - | eval Quater=ceil(tonumber(Month)/3)."Q"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @to4kawa and I ended up with -
| inputlookup Leases.csv
| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| eval Quarter=ceil(tonumber(Month)/3)."Q"
| eval nn = Year + " " + Quarter
| stats count by nn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, Happy Splunking!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
