Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is event sampling possible using the REST API?

buntinas
Engager
‎06-15-2016 06:59 AM

The documentation describes how to set the sampling ratio in the Search app and dashboards, but not when using the REST API.

Is sampling possible using the REST API?

Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-22-2016 09:54 AM

&dispatch.sample_ratio=10 appears in the URL when I select 1:10.

So i will assume something like that is what you want to add to your request.

I did some testing, and I get multiple lists of results back.

The first list of results is the sample.

View solution in original post

Reply
Solved! Jump to solution

jrizzo_splunk
Splunk Employee
Splunk Employee
‎04-28-2017 11:48 AM

The following worked for me.

$ splunk search 'index=_internal | stats count' -index_earliest 1493132552 -index_latest 1493404081 -sample_ratio 1000
INFO: Sampling disables usage of report acceleration summaries.
INFO: This search is sampling approximately 1 out of every 1000 events (seed=1317954456)
count
-----
   58





$ curl -sku user:pass https://localhost:8089/services/search/jobs/export --data-urlencode search='search index=_internal | stats count' -d output_mode=csv -d earliest_time='1493132552' -d latest_time='1493404081' -d sample_ratio='1000'
count
46
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-22-2016 12:00 PM

Also, this will work:

 ... | eval a=random()%10 | where a=7

Thanks @micah in irc

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-22-2016 09:54 AM

&dispatch.sample_ratio=10 appears in the URL when I select 1:10.

So i will assume something like that is what you want to add to your request.

I did some testing, and I get multiple lists of results back.

The first list of results is the sample.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-22-2016 10:16 AM

You might prefer to just use the | head command instead...

... | head 10

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-22-2016 10:58 AM

I dont like how the results still had all 15 billion results even though the sample ratio was set. So I used a similar technique to achieve similar results. First I created a command called randomint, then i used it in my search like this:

 ...| randomint 1 100| where randomint=2

or

 ...| randomint 1 100| where randomint=34

This will give a ratio of 1:100 of random events when executed by the API. I put the randomint command in my toolkit app: https://splunkbase.splunk.com/app/3265/

Basically you're attaching a field called randomint to all the events in the search pipeline, and then you're using a where clause to narrow down to just events that match 1 number between 1 and 100. If you wanted a different ration, you'd just do something like ...| randomint 1:50 | where randomint=17

Reply
Solved! Jump to solution

eyalsharon
New Member
‎08-22-2016 03:05 AM

Hi , I am also trying to understand if possible
Any update ?

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...