Samples the event stream. Events that do not have the field being sampled are discarded.
Parameter | Type | Required | Default | Description | |
---|---|---|---|---|---|
field | string | optional[a] | @timestamp | The names of the field to use for sampling events. | |
percentage [b] | double | optional[a] | 1 | Keep this percentage of the events. | |
Valid Values | |||||
Maximum | 100 | ||||
1 | |||||
[a] Optional parameters use their default value unless explicitly set. [b] The argument name |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
percentage
can be omitted; the following forms of this function are equivalent:logscalesample("1")
and:
logscalesample(percentage="1")
These examples show basic structure only.
sample()
Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)
Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1)
| groupby(host)
| sort()