Samples the event stream. Events that do not have the field being sampled are discarded.
|field||string||No||@timestamp||The names of the field to use for sampling events.|
|percentage||number||No||1||Keep this percentage of the events.|
percentage is the unnamed parameter.
Sample events keeping only 2% of the events
Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit
sample(percentage=0.1) | groupby(host) | sort()