Splunk Search

How to define the starting month of the year and original quarter periods (Apr - Jun, Jul - Sept, etc) in Splunk?

okakizaki_splun
Splunk Employee
Splunk Employee

I’ve been trying to create a yearly/half-yearly/quarterly/monthly/weekly report by using timechart and span command.
Actually most of all Japanese companies' 1st quarter starts from April, so I would like to define original quarter term like as Apr-Jun, Jul-Sep, Oct-Dec,Jan-Mar. Based on this rule, year term also become from Apr to Mar, and half-year term must be from Apr to Sep and from Oct to Mar.
As long as using Splunk function, year starting month seems to be fixed as Jan and cannot be changed.

(Our basic Time Period)
Year Apr-Mar
Half-year Apr-Sep
Quarter Apr-Jun etc

(Search command) following commands are not applicable to above requirement.

… | timechart span=1y count as …
… | timechart span=6mon count as …
… | timechart span=1q count as …

I’ve tried to use following command, but it was not counted from Apr.

earliest=@y4 latest=@y3 | timechart 

Do you know the way to change the year starting date from A-Jan to 1-Apr, or if there is a better alternative, please let me know.

0 Karma

aaron_sakovich
Path Finder

Old thread, I know, but here's an answer for anyone looking for this in the future.

Our fiscal year starts in October. I use the following in our DateTime Picker (defined in User Interface > Time Ranges😞

This Fiscal Year:         earliest=-3q@y+3q       latest=+q@y+3q
Previous Fiscal Year:     earliest=-y-3q@y+3q     latest=-y+q@y+3q

Haven't extensively tested it through a full year's range, but at least on paper it looks good, at least for those instances where the fiscal year boundary corresponds to a quarterly boundary. For This Fiscal Year, the calculation basically is to back up 3 quarters from the current date, snap to the year, and add 3 quarters to it; the latest is to add one quarter to the current date, get the year, and add 3 quarters to that. Previous FY just backs up a year before doing the same calculation.

e.g. #1: Jan 1, 2020, earliest = (Jan 1, 2020 - 3 quarters) = Mar 1, 2019 = snap to 2019 + 3 quarters = Oct 2019

e.g. #2: Sep 30, 2020, earliest = (Sep 30, 2020 - 3 quarters) = Dec 30, 2019 = snap to 2019 + 3 quarters = Oct 2019

Other examples and customizing for your fiscal year boundaries are left to the reader. But do let me know if you find a flaw with this approach!

0 Karma

okakizaki_splun
Splunk Employee
Splunk Employee

MuS
Thank you for your prompt reply.
Unfortunately, we've not received the expected result, but we could find the appropriate command like as follows

convert TIMEFORMAT="%m" ctime(_time) AS month | eval
half=case(month<=3,(date_year-1)."年度後期",month<=9,date_year."年度前期",
month<=12,date_year."年度後期",1=1,"missing") | chart count as "アクセス数" by
half period_search_name usenull=f useother=f

I appreciate your support.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi okakizaki [Splunk],

take a look at the docs of times.conf http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Timesconf and get details how to set a custom timerange.
you could use something like this -y@y+3mon@mon as earliest (will be last year 1st of April) and -y@y+6mon@mon as latest - adopt as needed.

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...