- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Some time questions.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some time questions.
I'm working on a financial data dashboard, and i have a few panels that pull data from last year relative to this year (now).
Question 1.
So.. I'm trying to get a sum from the current week number last year. They want to see sales data for the week last year, and compare that to sales data for the current week. I see where I can get "week number" as a field
|my base search
| eval weeknumber=strftime(_time,"%U")
What id like to be able to do is
basesearch earliest=-1y,weeknumber17@w0 latest=-1y+current_#_of_days_in_this_years_week17
Question 2.
Is there a Splunk earliest=currentfiscalyear latest=now or do I have to construct something that will always identify February,1st regardless of the year. Or.. am I stuck entering earliest="2/1/2020:00:00:00" and just setting a reminder to edit the search once a year? Should I just define them in times.conf and then call them from the search? If so.. what might that look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q1:
| makeresults
| eval time = strftime(_time , "%Y %j")
| eval time2 = relative_time(strptime(time,"%Y %j"),"@w0")
| convert ctime(time2) as time2_h
How's %j and relavie_time?
Q2:
https://answers.splunk.com/answers/783096/how-to-identify-fiscal-year-in-dashboard-reporting.html
I think you should make current Fiscal year
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't use all of the parameters I created, but I did setup a "silent" search on the dashboard to generate them.
<search id="silentsearchgettimes">
<query>| makeresults count=1| eval weeknumber=strftime(_time,"%U"), mdaynumber=strftime(_time,"%d") , absdaynumber=strftime(_time,"%j"), wdaynumber=strftime(_time,"%w"), monthnumber=strftime(_time,"%m"), dayhour=strftime(_time,"%w%H"),hour=strftime(_time,"%H"),combined=strftime(_time,"%U%w%H")</query>
<earliest>-10m</earliest>
<latest>now</latest>
<finalized>
<condition match=" 'job.resultCount' != 0">
<set token="monthnumber">$result.monthnumber$</set>
<set token="weeknumber">$result.weeknumber$</set>
<set token="absdaynumber">$result.absdaynumber$</set>
<set token="wdaynumber">$result.wdaynumber$</set>
<set token="mdaynumber">$result.mdaynumber$</set>
<set token="dayhour">$result.dayhour$</set>
<set token="hour">$result.hour$</set>
<set token="combined">$result.combined$</set>
</condition>
</finalized>
</search>
And then in individual searches called them. The one below uses "combined" which combines current week#,weekday# and hour.. So the output right now for combined would be 17413..This keeps last years week to date panel in line with a current search of live data using earliest=@w0 latest=now. At least within an hour.
index="someindex " sourcetype="order_csv" source="order_history_updDateFormat.csv" host="somehost" earliest=-1y@w0 latest=-1y+7d | fields revenue
|eval combined=strftime(_time,"%U%w%H")
|where combined<=$combined$
|stats sum(revenue) AS Revenue
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
