https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314716#M164704 <P>@Mike6960, you can perform a <CODE>modular division by 2</CODE> to identify <CODE>0 as Even</CODE> and <CODE>1 as Odd</CODE>. i.e. <CODE>&lt;YourCountField&gt;%2</CODE>. Please try the following run anywhere search:</P> <PRE><CODE>index=_internal sourcetype=splunkd | stats count as Total by component | eval Filter=if(Total%2==0,"Even","Odd") | search Filter="Odd" </CODE></PRE> Wed, 29 Nov 2017 11:26:04 GMT niketn 2017-11-29T11:26:04Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314715#M164703 <P>Is it possible to search results from a count when they are odd or even?<BR /> So the results only show the lines/events which have an odd or even number as count</P> Wed, 29 Nov 2017 11:00:37 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314715#M164703 Mike6960 2017-11-29T11:00:37Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314716#M164704 <P>@Mike6960, you can perform a <CODE>modular division by 2</CODE> to identify <CODE>0 as Even</CODE> and <CODE>1 as Odd</CODE>. i.e. <CODE>&lt;YourCountField&gt;%2</CODE>. Please try the following run anywhere search:</P> <PRE><CODE>index=_internal sourcetype=splunkd | stats count as Total by component | eval Filter=if(Total%2==0,"Even","Odd") | search Filter="Odd" </CODE></PRE> Wed, 29 Nov 2017 11:26:04 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314716#M164704 niketn 2017-11-29T11:26:04Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314717#M164705 <P>Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?</P> Wed, 29 Nov 2017 13:58:14 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314717#M164705 Mike6960 2017-11-29T13:58:14Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314718#M164706 <P>Modular division returns the<CODE>remainder</CODE>, so modular division by 2 can only result in a <CODE>1</CODE> or <CODE>0</CODE>. Therefore <CODE>4%2===0</CODE>. </P> Wed, 29 Nov 2017 14:26:11 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314718#M164706 cpetterborg 2017-11-29T14:26:11Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314719#M164707 <P>@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.</P> <P>Try the following run anywhere search, which should explain the process:</P> <PRE><CODE>| gentimes start=11/10/2017 end=11/20/2017 increment=1d | fields starttime | rename starttime as _time | eval Dividend=1 | eval Divisor=2 | accum Dividend | eval ModularDivisionRemainder=Dividend%Divisor </CODE></PRE> Wed, 29 Nov 2017 14:34:20 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314719#M164707 niketn 2017-11-29T14:34:20Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314720#M164708 <P>Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. <span class="lia-unicode-emoji" title=":winking_face:">😉</span> <BR /> Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.</P> Thu, 30 Nov 2017 07:11:49 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314720#M164708 Mike6960 2017-11-30T07:11:49Z https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314721#M164709 <P>@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 Nov 2017 08:31:48 GMT https://community.splunk.com/t5/Splunk-Search/show-where-the-result-from-count-when-result-is-odd-or-even/m-p/314721#M164709 niketn 2017-11-30T08:31:48Z