Samples the event stream. Events that do not have the field being sampled are discarded.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | string | optional[a] | @timestamp | The names of the field to use for sampling events. |
percentage[b] | double | optional[a] | 1 | Keep this percentage of the events. |
| Valid Values | ||||
| Maximum | 100 | |||
1 | ||||
[a] Optional parameters use their default value unless explicitly set [b] The argument name | ||||
Omitted Argument NamesThe argument name for
percentagecan be omitted; the following forms of this function are equivalent:logscalesample("1")and:
logscalesample(percentage="1")
sample() Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1)
| groupby(host)
| sort()