Is it possible to use event sampling in the new da...

letienne · ‎05-10-2023

Hello,

Is it possible at all to use event sampling (1:100 or 1:1000) in the new dashboard studio?

It works fine using classic dashboarding, but I'm unable to find a way to use it in the new json format, and it's not documented here: Data source options and properties - Splunk Documentation

I would have expected something like this to work:

"options": {
	"query": "mysearch",
	"sampleRatio": 100
},

Thanks !

chekolyn · ‎07-13-2023

I also was looking for this on the new Dashboard Studio.

The only thing that helped was appending this to the search:

... | noop sample_ratio=10

From: https://community.splunk.com/t5/Splunk-Search/Can-sampling-for-subsearches-be-used-to-parameterize-m...

Noop Doc: https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Noop

TrangCIC81 · ‎05-10-2023

In case if it is OK with Splunk Enterprise latest version, you can refer to this below link.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Retrieveasamplesetofevents

Event sampling might not be available in all versions of Splunk, and the feature may have limitations depending on your specific use case.

MAD1 · ‎06-19-2023

I think the question is with regard to Dashboard Studio. From the "Search" dialog you can sample data and have it create a Classic Dashboard, where the sampleRatio parameter is populated. However if you choose to create a dashboard from your search using Dashboard Studio, then the sampleRatio parameter is not carried over (v9.0.4). Either it is a missing feature or missing documentation. I find it interesting that even new Splunk documentation has samples using the old dashboard technology and not Dashboard Studio.

Is it possible to use event sampling in the new dashboard studio?

other

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)