showing results by yearly quarter

aadye · ‎01-28-2013

I'm very new to Splunk.

I have a requirement to display reports based on a last modified date, so in theory I would have a drop down for (Q1, Q2, Q3, Q4) and another for the years (2001, 2002, 2003...) My dates are stored in Month/Day/Year format.

Could somebody suggest the best way for me to go about this?

TIA

yannK · ‎01-28-2013

You can specify a specific timerange for you searches, but in your case you probably want to display results per quarter all together on the same panel.

So another solution is to define a field for you range, based on the timestamp
(check date_month, date_day, date_year, unfortunately the date_month is a text, it may be easier to extract it as a number.)

example if your quarter is per month

mysearch | convert TIMEFORMAT="%m" ctime(_time) AS month | eval quarter=date_year."-".case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4",1=1,"missing") | stats count by quarter | sort -quarter

aadye · ‎01-31-2013

I search and pass the time field piping that into your suggestion...
As an example I see results like below:
quarter | time
2011-Q3 | 8/19/2012 11:57:54 PM
2013-Q1 | 10/14/2005 6:22:37 PM

yannK · ‎01-29-2013

strange, verify that the timestamp detected by splunk is matching your timestamp in the event.

aadye · ‎01-29-2013

Thank for your reply, It appears to group all of my data into yyyy-Qx nicely, but I'm confused as to what is in the groups, for example in group Q1-2007 I see "2/12/2008 00:01:02". Do I need to tweek it for the format somehow?

TIA

showing results by yearly quarter

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability