Answers for "Count when sum reaches specific number then start over."
https://answers.splunk.com/answers/119776/count-when-sum-reaches-specific-number-then-start-over.html
The latest answers for the question "Count when sum reaches specific number then start over."Answer by mkinsley_splunk
https://answers.splunk.com/answering/119837/view.html
What you want is the modulo operator. It is essentially the remainder after a division operation. As the dividend increases, the remainder increases, until a number is reached that divides perfectly and thus the remainder resets to zero over and over again. Exactly what you are looking for.
Here is a sample query:
index=_internal | stats count as cat_val by date_hour | accum cat_val as subtotal | eval i = subtotal % 6
Notice that i cycles between 0 and 5 and then continues to cycle as you want.Fri, 24 Jan 2014 06:53:54 GMTmkinsley_splunkAnswer by aholzer
https://answers.splunk.com/answering/119794/view.html
Try the following:
<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt)
This will aggregate the counts by the day. Then it will start running the cumulative for your count by day. When it reaches a value of 5 or greater it will change it to 0. Look for days with a value of 0.
If you want to save the value that it hit which equates to above 5 you can try something like this:
<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt_over = if(accum_cnt>=5,accum_cnt,0) | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt) | where accum_cnt_over>0
Hope this helpsThu, 23 Jan 2014 22:05:48 GMTaholzer