Splunk non uniform event sampling

sssignals · ‎07-05-2019

Hi Splunk community

I wanted to know if Splunk event sampling can be customized such that there is sampling for events from -7d@d to -2d@d and no sampling for example, last 24 hrs of events.

I read the documentation so my conclusion is it cannot be done my way. Appreciate the confirmation from the Splunk community.

I have a lot of events to trend but obviously recent events are more valuable than older events and I really hope to speed up my scheduled reports via non-uniform sampling.

Many thanks.

DavidHourani · ‎07-05-2019

Hi @sssignals,

By default sampling applies to all the data you're calling in with your search. You can work around this by appending results to a search.

For example in you case, you can call your data for the last 24 hours then append from -7d@d to -2d@d and apply the sample command on that subsearchwhich is found here : https://docs.splunk.com/Documentation/MLApp/4.3.0/User/Customsearchcommands#sample

This will give you a mix of sampled and non-sampled results. There is one caveat though, you won't be able to run any stats on those results as averages/max/min/etc of sampled data don't really make sense. So it all really depends on what you're trying to achieve. If it's just mixing sampled and non-sampled then it'll work.

Let me know if that helps.

Cheers,
David

sssignals · ‎07-15-2019

Thanks DavidHourani. I will try it out and feedback.

Splunk non uniform event sampling

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?