https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456691#M170507 <P>Hi @sssignals,</P> <P>By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search. </P> <P>For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the <CODE>sample</CODE> command on that <CODE>subsearch</CODE>which is found here : <A href="https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample">https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample</A></P> <P>This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.</P> <P>Let me know if that helps.</P> <P>Cheers,<BR /> David</P> Fri, 05 Jul 2019 09:02:20 GMT DavidHourani 2019-07-05T09:02:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456690#M170506 <P>Hi Splunk community</P> <P>I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.</P> <P>I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.</P> <P>I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.</P> <P>Many thanks.</P> Fri, 05 Jul 2019 08:27:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456690#M170506 sssignals 2019-07-05T08:27:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456691#M170507 <P>Hi @sssignals,</P> <P>By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search. </P> <P>For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the <CODE>sample</CODE> command on that <CODE>subsearch</CODE>which is found here : <A href="https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample">https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample</A></P> <P>This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.</P> <P>Let me know if that helps.</P> <P>Cheers,<BR /> David</P> Fri, 05 Jul 2019 09:02:20 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456691#M170507 DavidHourani 2019-07-05T09:02:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456692#M170508 <P>Thanks DavidHourani. I will try it out and feedback.</P> Mon, 15 Jul 2019 15:30:27 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-non-uniform-event-sampling/m-p/456692#M170508 sssignals 2019-07-15T15:30:27Z