Splunk Search

Splunk non uniform event sampling

sssignals
Path Finder

Hi Splunk community

I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.

I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.

I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.

Many thanks.

Tags (1)
0 Karma

DavidHourani
Super Champion

Hi @sssignals,

By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search.

For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the sample command on that subsearchwhich is found here : https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample

This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.

Let me know if that helps.

Cheers,
David

0 Karma

sssignals
Path Finder

Thanks DavidHourani. I will try it out and feedback.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...