Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

show/where the result from count when result is odd or even number

Mike6960
Path Finder
‎11-29-2017 03:00 AM

Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 05:58 AM

Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-29-2017 06:34 AM

@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.

Try the following run anywhere search, which should explain the process:

|  gentimes start=11/10/2017 end=11/20/2017 increment=1d
|  fields starttime
|  rename starttime as _time
|  eval Dividend=1
|  eval Divisor=2
|  accum Dividend
|  eval ModularDivisionRemainder=Dividend%Divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 11:11 PM

Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-30-2017 12:31 AM

@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-29-2017 06:26 AM

Modular division returns theremainder, so modular division by 2 can only result in a 1 or 0. Therefore 4%2===0.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...