Hi Splunk community

I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.

I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.

I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.

Many thanks.

Hi @sssignals,

By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search.

For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the sample command on that subsearchwhich is found here :

This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.

Let me know if that helps.


Thanks DavidHourani. I will try it out and feedback.

