Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

show/where the result from count when result is odd or even number

Mike6960
Path Finder
‎11-29-2017 03:00 AM

Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 05:58 AM

Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-29-2017 06:34 AM

@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.

Try the following run anywhere search, which should explain the process:

|  gentimes start=11/10/2017 end=11/20/2017 increment=1d
|  fields starttime
|  rename starttime as _time
|  eval Dividend=1
|  eval Divisor=2
|  accum Dividend
|  eval ModularDivisionRemainder=Dividend%Divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 11:11 PM

Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-30-2017 12:31 AM

@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-29-2017 06:26 AM

Modular division returns theremainder, so modular division by 2 can only result in a 1 or 0. Therefore 4%2===0.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...