Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count
@Mike6960, you can perform a modular division by 2
to identify 0 as Even
and 1 as Odd
. i.e. <YourCountField>%2
. Please try the following run anywhere search:
index=_internal sourcetype=splunkd
| stats count as Total by component
| eval Filter=if(Total%2==0,"Even","Odd")
| search Filter="Odd"
@Mike6960, you can perform a modular division by 2
to identify 0 as Even
and 1 as Odd
. i.e. <YourCountField>%2
. Please try the following run anywhere search:
index=_internal sourcetype=splunkd
| stats count as Total by component
| eval Filter=if(Total%2==0,"Even","Odd")
| search Filter="Odd"
Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?
@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.
Try the following run anywhere search, which should explain the process:
| gentimes start=11/10/2017 end=11/20/2017 increment=1d
| fields starttime
| rename starttime as _time
| eval Dividend=1
| eval Divisor=2
| accum Dividend
| eval ModularDivisionRemainder=Dividend%Divisor
Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.
@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂
Modular division returns theremainder
, so modular division by 2 can only result in a 1
or 0
. Therefore 4%2===0
.