• Blog
• Splunk

Set Up Dynamic Prior Quarter Time Range Selection In Your Dashboards 

By Marvin Martinez, Team Lead, Automation Engineering

Splunk Time Range inputs allow for a plethora of selections to accommodate any time range one’s heart desires. But what about when you need quick access to prior quarters and don’t want to have to keep dealing with clicking into the “Relative” section and selecting 1, 2, 3, or even 4 quarters ago? Of course, you could also manually set the Date Ranges in the “Date Range” section but that takes time and who’s got that kind of time nowadays?!

Instead, you could set up a drop down list that automatically calculates what the last four quarters are, with neat labels to identify them, and returns the time range for that quarter for any searches in your dashboard!

The labels above are all dynamic and will always be the last 4 quarters based on what the current date is. Let’s explore how to set up this drop down and then how to ensure the appropriate start and end dates are set so that all your panels can use them. First, the populating search for the drop down. Use the following search as the populating search for your dropdown list:

| makeresults count=4 

| streamstats count 

| eval current_time = now(), current_year = strftime(current_time,"%Y"), current_month 

= strftime(current_time, "%m") 

| eval month_start = (count - 1) * 3 + 1, current_year = IF(current_month < 

month_start+3,current_year-1,current_year), label = current_year . " - Q" . count 

| eval time_start = strptime(month_start . "-01-" . current_year,"%m-%d-%Y"), time_end

= relative_time(time_start,"+3mon@mon") 

| eval time_start_human = strftime(time_start,"%m/%d/%Y %T") 

| eval time_end_human = strftime(time_end,"%m/%d/%Y %T") 

| sort - label 

| table label time_start time_end time_start_human time_end_human 

The search above calculates the last four quarters but, if you notice, that’s only limited by the count of the makeresults command at the top. Feel free to extend it and go back a bit further if you need to. The search creates 4 entries and numbers them using the streamstats command. Once numbered, it extracts some of the date information (year, month, etc.) and does a little math to calculate where in the year (i.e. quarter) it is currently. Based on that, it generates the start date for each row (i.e. quarter). Once configured, it just sorts them accordingly and returns the field with the start date of the quarter (more on this in a bit) as the value for the dropdown list item and the label for the dropdown list in the “label” field.

So how do both the start AND end time ranges get set if only the start time is available as the value? Well, a little logic application is all it takes! Note that, in this dashboard, there was an option for a “custom” time range in which an actual time input is able to be selected to define any other custom time range desired as well. Feel free to reach out for more information on how to implement that, or keep your eyes out for a future blog on this topic! Enough teasing and back to setting the end time! Set up a change handler for your dropdown list as shown below:

      <change> 

        <condition match="$form.tok_time_range_select$!=&quot;custom&quot;"> 

          <unset token="tok_show_custom_time">true</unset> 

          <set token="tok_start_date">$tok_time_range_select$</set> 

          <eval token="tok_end_date">relative_time($tok_time_range_select$,"+94d@mon")
</eval> 

        </condition> 

        <condition label="Custom"> 

          <set token="tok_show_custom_time">true</set> 

          <set token="tok_start_date">$form.tok_time_range.earliest$</set> 

          <set token="tok_end_date">$form.tok_time_range.latest$</set> 

        </condition> 

      </change> 

The change handler checks to make sure the selected option isn’t “Custom” and does a few things:

• It unsets the token to show the custom time range selector to ensure that gets hidden away
• It sets the tok_start_date token which is what all the dashboard panel searches will be using as their start date.
• It sets the tok_end_date token which is what all the dashboard panel searches will be using as their end date. Rather than just grabbing it from the value like the start date could, it needs to be quickly calculated via an eval. The eval simply does a relative time of the start date token and adds 94 days (to ensure even 3 months of 31 days wouldn’t prevent it from pegging the end date to the start of the 4th month!) and then pegs it to the beginning of the month.

There you have it! Now, any panels in your dashboard (or better yet, your base search!) can just use the “tok_start_date” and “tok_end_date” tokens as their earliest/latest values and you can easily switch between quarters in your dashboard without having to worry about manually selecting x number of quarters ago or having to go in and define specific months!

Read more about TekStream Splunk Services

• Share This: