Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a bar chart by quarter?

danielbb
Motivator
‎04-15-2020 01:56 PM

I have the following code that shows leases that end in June.

| inputlookup Leases.csv  
| rename "Lease End" as leaseEnd 
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d") 
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y") 
| where Year = 2020 AND Month = 6

The requirement is to update the query to return leases ending by quarter i.e. Q1, Q2, Q3, Q4 2020 and display in a bar chart by quarter.

How can I do that? I don't know how to aggregate the data by quarter.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-15-2020 05:03 PM

| inputlookup Leases.csv

| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| eval Quater=ceil(tonumber(Month)/3)."Q"
| where Year="2020"
| stats max(timestamp) as timestamp by Quater
| convert ctime(timestamp)
but Bar Chart?
Bar should be numeric. not string or text.

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-15-2020 05:03 PM

| inputlookup Leases.csv

| rename "Lease End" as leaseEnd
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d")
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y")
| eval Quater=ceil(tonumber(Month)/3)."Q"
| where Year="2020"
| stats max(timestamp) as timestamp by Quater
| convert ctime(timestamp)
but Bar Chart?
Bar should be numeric. not string or text.

Reply
Solved! Jump to solution

danielbb
Motivator
‎04-16-2020 06:54 AM

This is great - | eval Quater=ceil(tonumber(Month)/3)."Q"

0 Karma
Reply
Solved! Jump to solution

danielbb
Motivator
‎04-16-2020 01:53 PM

Thank you @to4kawa and I ended up with -

| inputlookup Leases.csv 
| rename "Lease End" as leaseEnd 
| eval timestamp=strptime(leaseEnd, "%Y-%m-%d") 
| eval Day=strftime(timestamp,"%d"), Month=strftime(timestamp,"%m"), Year=strftime(timestamp,"%Y") 
| eval Quarter=ceil(tonumber(Month)/3)."Q"
| eval nn =  Year + " " + Quarter
| stats count by nn
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-16-2020 02:17 PM

I see, Happy Splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...