Samples the event stream. Events that do not have the field being sampled are discarded.
Function Traits: Filter
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | string | optional | @timestamp | The names of the field to use for sampling events. |
percentage[a] | number | optional | 1 | Keep this percentage of the events. |
| Maximum | 100 | |||
| Valid Values | 1 | |||
[a] The argument name | ||||
The parameter name for percentage can be omitted; the following forms are equivalent:
logscale
sample("1")and:
logscale
sample(percentage="1")sample() Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1)
| groupby(host)
| sort()