Archive

show/where the result from count when result is odd or even number

Mike6960
Path Finder

Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketnilay
Legend

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Mike6960
Path Finder

Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?

0 Karma

niketnilay
Legend

@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.

Try the following run anywhere search, which should explain the process:

|  gentimes start=11/10/2017 end=11/20/2017 increment=1d
|  fields starttime
|  rename starttime as _time
|  eval Dividend=1
|  eval Divisor=2
|  accum Dividend
|  eval ModularDivisionRemainder=Dividend%Divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mike6960
Path Finder

Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.

0 Karma

niketnilay
Legend

@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Modular division returns theremainder, so modular division by 2 can only result in a 1 or 0. Therefore 4%2===0.

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!