Splunk Search

Is there a way to make an appended search (or subsearch) respect the outer search's sample constraint?

dadkinson
Explorer
"XXX targeting service enabled" | stats count as ALL | appendcols [search "exception calling XXX targeting" | stats count as EXC] | eval ratio=ALL/EXC

Search works fine and generates correct ratio when no sampling is made, but if I want to sample, the outer search is fine but the inner runs through the complete event space.

no sample:
ALL: 12182689
EXC: 83363
ratio: 146.140242

1:1000 sample:
ALL: 12108
EXC: 83363
ratio: 0.145244

Easy enough to interpret but it'd be good to know if there's a way to enforce sampling throughout the complete search.

Thanks.

Tags (2)
0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Hi dadkinson,

Not sure if I understand your question correctly, but the stats command is not a good candidate for event sampling. Please refer to the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Retrieveasamplesetofevents#Commands_and_fun...

Thanks
Hunter

View solution in original post

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi dadkinson,

Not sure if I understand your question correctly, but the stats command is not a good candidate for event sampling. Please refer to the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Retrieveasamplesetofevents#Commands_and_fun...

Thanks
Hunter

0 Karma

dadkinson
Explorer

Ah yes, I'd forgotten about that note. Thanks.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...