Samples the event stream. Events that do not have the field being sampled are discarded.
| Parameter | Type | Required | Default Value | Description | |
|---|---|---|---|---|---|
field | string | optional[a] | @timestamp | The names of the field to use for sampling events. | |
percentage[b] | double | optional[a] | 1 | Keep this percentage of the events. | |
| Valid Values | |||||
| Maximum | 100 | ||||
1 | |||||
[a] Optional parameters use their default value unless explicitly set. [b] The argument name | |||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
percentagecan be omitted; the following forms of this function are equivalent:logscalesample("1")and:
logscalesample(percentage="1")These examples show basic structure only.
sample() Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1)
| groupby(host)
| sort()