Samples the event stream. Events that do not have the field being sampled are discarded.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
field | string | optional[a] | @timestamp | The names of the field to use for sampling events. |
percentage[b] | double | optional[a] | 1 | Keep this percentage of the events. |
| Valid Values | ||||
| Maximum | 100 | |||
1 | ||||
[a] Optional parameters use their default value unless explicitly set. [b] The parameter name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
percentagecan be omitted; the following forms of this function are equivalent:logscale Syntaxsample("value")and:
logscale Syntaxsample(percentage="value")These examples show basic structure only.
sample() Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1)
| groupby(host)
| sort()