Samples the event stream. Events that do not have the field being sampled are discarded.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | string | false | @timestamp | The names of the field to use for sampling events. |
percentage | number | false | 1 | Keep this percentage of the events. [a] |
| Maximum | 100 | |||
| Valid Values | 1 | |||
[a] When you provide only one parameter, the implied parameter is | ||||
Examples
Sample events keeping only 2% of the events
logscale
sample(percentage=2)Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit:
logscale
sample(percentage=0.1) | groupby(host) | sort()