sample( ) Query Function

Samples the event stream. Events that do not have the field being sampled are discarded.


Name Type Required Default Description
field string No @timestamp The names of the field to use for sampling events.
percentage number No 1 Keep this percentage of the events.

percentage is the unnamed parameter.


Sample events keeping only 2% of the events


Sample events keeping only 0.1% of the events to allow groupby to find the most common hosts without hitting the groupby-limit

sample(percentage=0.1) | groupby(host) | sort()