Can sampling for subsearches be used to parameteri...

amesbury · ‎11-04-2019

Is there a way to set sampling for subsearches separately from the main search? For example, given a search of a huge index (srcidx) like:

index=srcidx thirdparam=bar
    [ search index=srcidx param=foo
      | top 50 secondparam
      | fields secondparam
    ]
| top 50 result

The subsearch (looking for a specific value for param and returning to top 50 secondparam) in my data could be effective with a sampling rate of 1:10000, but the main search must not be sampled because I need real numbers. I see sampling can be controlled in dashboards' in SimpleXML, but I'm not sure <sampleRatio> can be set independently for subsearches.

Is there a way to adjust sampling ratios per search?

woodcock · ‎11-04-2019

Yes, just add this to your subsearch SPL to do a 10% sampling:

... | noop sample_ratio=10

jacobpevans · ‎11-04-2019

You could save the subsearch with the sampling set to whatever you want, then append using the savedsearch command.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/savedsearch

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Can sampling for subsearches be used to parameterize main search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life