Splunk Search

Some time questions.


I'm working on a financial data dashboard, and i have a few panels that pull data from last year relative to this year (now).

Question 1.
So.. I'm trying to get a sum from the current week number last year. They want to see sales data for the week last year, and compare that to sales data for the current week. I see where I can get "week number" as a field

|my base search
| eval weeknumber=strftime(_time,"%U")

What id like to be able to do is

basesearch earliest=-1y,weeknumber17@w0 latest=-1y+current_#_of_days_in_this_years_week17

Question 2.
Is there a Splunk earliest=currentfiscalyear latest=now or do I have to construct something that will always identify February,1st regardless of the year. Or.. am I stuck entering earliest="2/1/2020:00:00:00" and just setting a reminder to edit the search once a year? Should I just define them in times.conf and then call them from the search? If so.. what might that look like?

0 Karma

Ultra Champion


| makeresults 
| eval time = strftime(_time , "%Y %j")
| eval time2 = relative_time(strptime(time,"%Y %j"),"@w0")
| convert ctime(time2) as time2_h

How's %j and relavie_time?


I think you should make current Fiscal year


I didn't use all of the parameters I created, but I did setup a "silent" search on the dashboard to generate them.

  <search id="silentsearchgettimes">
    <query>| makeresults count=1| eval weeknumber=strftime(_time,"%U"), mdaynumber=strftime(_time,"%d") , absdaynumber=strftime(_time,"%j"), wdaynumber=strftime(_time,"%w"), monthnumber=strftime(_time,"%m"), dayhour=strftime(_time,"%w%H"),hour=strftime(_time,"%H"),combined=strftime(_time,"%U%w%H")</query>
      <condition match=" 'job.resultCount' != 0">
        <set token="monthnumber">$result.monthnumber$</set>
        <set token="weeknumber">$result.weeknumber$</set>
        <set token="absdaynumber">$result.absdaynumber$</set>
        <set token="wdaynumber">$result.wdaynumber$</set>
        <set token="mdaynumber">$result.mdaynumber$</set>
        <set token="dayhour">$result.dayhour$</set>
        <set token="hour">$result.hour$</set>
        <set token="combined">$result.combined$</set>

And then in individual searches called them. The one below uses "combined" which combines current week#,weekday# and hour.. So the output right now for combined would be 17413..This keeps last years week to date panel in line with a current search of live data using earliest=@w0 latest=now. At least within an hour.

index="someindex " sourcetype="order_csv" source="order_history_updDateFormat.csv" host="somehost" earliest=-1y@w0 latest=-1y+7d | fields revenue
|eval combined=strftime(_time,"%U%w%H")
|where combined<=$combined$
|stats sum(revenue) AS Revenue

Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...