Hi Splunk community
I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.
I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.
I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.
Many thanks.
Hi @sssignals,
By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search.
For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the sample
command on that subsearch
which is found here : https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample
This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.
Let me know if that helps.
Cheers,
David
Thanks DavidHourani. I will try it out and feedback.