topic Re: Is event sampling possible using the REST API? in Getting Data In

Is event sampling possible using the REST API?

buntinas — Wed, 15 Jun 2016 13:59:18 GMT

The documentation describes how to set the sampling ratio in the Search app and dashboards, but not when using the REST API.

Is sampling possible using the REST API?

Re: Is event sampling possible using the REST API?

eyalsharon — Mon, 22 Aug 2016 10:05:40 GMT

Hi , I am also trying to understand if possible
Any update ?

Re: Is event sampling possible using the REST API?

jkat54 — Mon, 22 Aug 2016 16:54:22 GMT

&dispatch.sample_ratio=10 appears in the URL when I select 1:10.

So i will assume something like that is what you want to add to your request.

I did some testing, and I get multiple lists of results back.

The first list of results is the sample.

Re: Is event sampling possible using the REST API?

jkat54 — Mon, 22 Aug 2016 17:16:37 GMT

You might prefer to just use the | head command instead...

... | head 10

Re: Is event sampling possible using the REST API?

jkat54 — Mon, 22 Aug 2016 17:58:01 GMT

I dont like how the results still had all 15 billion results even though the sample ratio was set. So I used a similar technique to achieve similar results. First I created a command called randomint, then i used it in my search like this:

 ...| randomint 1 100| where randomint=2

 ...| randomint 1 100| where randomint=34

This will give a ratio of 1:100 of random events when executed by the API. I put the randomint command in my toolkit app: https://splunkbase.splunk.com/app/3265/

Basically you're attaching a field called randomint to all the events in the search pipeline, and then you're using a where clause to narrow down to just events that match 1 number between 1 and 100. If you wanted a different ration, you'd just do something like ...| randomint 1:50 | where randomint=17

Re: Is event sampling possible using the REST API?

jkat54 — Mon, 22 Aug 2016 19:00:17 GMT

Also, this will work:

 ... | eval a=random()%10 | where a=7

Thanks @micah in irc

Re: Is event sampling possible using the REST API?

jrizzo_splunk — Fri, 28 Apr 2017 18:48:41 GMT

The following worked for me.

$ splunk search 'index=_internal | stats count' -index_earliest 1493132552 -index_latest 1493404081 -sample_ratio 1000
INFO: Sampling disables usage of report acceleration summaries.
INFO: This search is sampling approximately 1 out of every 1000 events (seed=1317954456)
count
-----
   58





$ curl -sku user:pass https://localhost:8089/services/search/jobs/export --data-urlencode search='search index=_internal | stats count' -d output_mode=csv -d earliest_time='1493132552' -d latest_time='1493404081' -d sample_ratio='1000'
count
46