Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

show/where the result from count when result is odd or even number

Mike6960
Path Finder
‎11-29-2017 03:00 AM

Is it possible to search results from a count when they are odd or even?
So the results only show the lines/events which have an odd or even number as count

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-29-2017 03:26 AM

@Mike6960, you can perform a modular division by 2 to identify 0 as Even and 1 as Odd. i.e. <YourCountField>%2. Please try the following run anywhere search:

index=_internal sourcetype=splunkd
|  stats count as Total by component
|  eval Filter=if(Total%2==0,"Even","Odd")
|  search Filter="Odd"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 05:58 AM

Great idea. Thanks. I am trying to understand, what if the count is e.g. 4? Then Total(4) divided by 2 isn't 0. Or do i not understand the way "%2==0" works?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-29-2017 06:34 AM

@Mike6960, Modular division gives you remainder. Any Integer divided by 2 will give Either 0 i.e. is it is divisible by 2 or it gives 1 i.e. it gives a remainder of 1.

Try the following run anywhere search, which should explain the process:

|  gentimes start=11/10/2017 end=11/20/2017 increment=1d
|  fields starttime
|  rename starttime as _time
|  eval Dividend=1
|  eval Divisor=2
|  accum Dividend
|  eval ModularDivisionRemainder=Dividend%Divisor
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 11:11 PM

Aha, thanks. This clearifies the 'modulair division' . But also very usefull because I did not know of the accum command, gentimes. 😉
Also I did not know it was possible to 'insert' values (Dividend in your example). All in all, I learned a lot again.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-30-2017 12:31 AM

@Mike6960, Anytime. That's the beauty of this community, we all learn something new everyday 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-29-2017 06:26 AM

Modular division returns theremainder, so modular division by 2 can only result in a 1 or 0. Therefore 4%2===0.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...