Splunk Search

show/where the result from count when result is odd or even number

Mike6960
Path Finder

Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count

Tags (1)
0 Karma
1 Solution

niketn
Legend

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Mike6960
Path Finder

Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?

0 Karma

niketn
Legend

@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.

Try the following run anywhere search, which should explain the process:

|  gentimes start=11/10/2017 end=11/20/2017 increment=1d
|  fields starttime
|  rename starttime as _time
|  eval Dividend=1
|  eval Divisor=2
|  accum Dividend
|  eval ModularDivisionRemainder=Dividend%Divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mike6960
Path Finder

Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.

0 Karma

niketn
Legend

@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Modular division returns theremainder, so modular division by 2 can only result in a 1 or 0. Therefore 4%2===0.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...