https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312205#M161880 <P>Well, I was really hoping for a hidden argument to <CODE>addinfo</CODE> that would give it to me. (Seems like the output of that command hasn't been updated since like the Splunk 3.x days, despite a massive increase in product functionality since then.)</P> <P>But that works assuming you don't end up with more than 1000 search jobs. I'd probably add a <CODE>splunk_server=local</CODE> to the rest command.</P> Wed, 04 Apr 2018 16:48:53 GMT Lowell 2018-04-04T16:48:53Z https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312203#M161878 <P>Is there a way for a search to determine its own sample ratio at search time?</P> <P>This would be helpful when scaling results based on the sample ratio. For example, if a <CODE>eventtype=myevent | stats count</CODE> returns 57 at sample of 10:1, then I can estimate than a full search (no sample) would return a count of ~ 570.</P> <P>Seems like the should be away to do this with some combination of <CODE>addinfo</CODE> and possibly <CODE>rest</CODE>...?</P> Tue, 03 Apr 2018 21:36:00 GMT https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312203#M161878 Lowell 2018-04-03T21:36:00Z https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312204#M161879 <P>Something like this?</P> <PRE><CODE>index=* | addinfo | stats values(info_sid) as sid | join sid [| rest /services/search/jobs | stats values(request.sample_ratio) AS request.sample_ratio by sid ] </CODE></PRE> Wed, 04 Apr 2018 00:16:09 GMT https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312204#M161879 jconger 2018-04-04T00:16:09Z https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312205#M161880 <P>Well, I was really hoping for a hidden argument to <CODE>addinfo</CODE> that would give it to me. (Seems like the output of that command hasn't been updated since like the Splunk 3.x days, despite a massive increase in product functionality since then.)</P> <P>But that works assuming you don't end up with more than 1000 search jobs. I'd probably add a <CODE>splunk_server=local</CODE> to the rest command.</P> Wed, 04 Apr 2018 16:48:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312205#M161880 Lowell 2018-04-04T16:48:53Z https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312206#M161881 <P>Here's an expanded example that approaches the problem in a slightly different way. It only lookups up a single job via the REST request, but yet is has an extra subsearch (not sure the performance implications.) </P> <PRE><CODE>| stats count | appendcols [ rest splunk_server=local /services/search/jobs [ makeresults | addinfo | eval sid=replace(info_sid, "^.*subsearch_(.*?\d+\.\d+)_.*$", "\1") | eval search="search=sid=".sid | table search ] | table request.* ] </CODE></PRE> <P>Note that the use of <CODE>appendcols</CODE> requires results not events as an input. (Think "Events" tab vs "Statistics" tab.) It's also possible to use <CODE>append</CODE> or (preferably) <CODE>appendpipe</CODE> but then you'll only have a single result at the end that contains the <CODE>request.*</CODE> fields, which is still workable in some situations, but a bit less ideal.</P> Wed, 04 Apr 2018 16:59:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-a-search-detect-it-s-own-sample-ratio/m-p/312206#M161881 Lowell 2018-04-04T16:59:53Z