nano SIEM
Search Commands

sample

sample

Return a random sample of events. Useful for testing and data exploration.

Description

The sample command randomly selects N events from your results. This is useful for getting a representative sample of large datasets, testing queries, or exploring data patterns.

Syntax

... | sample [<count>]

Optional Arguments

count
Syntax: <int>
Description: Number of events to sample
Default: 1000

Examples

Sample 100 events

* | sample 100

Default sample (1000)

* | sample

Sample for testing

status=500 | sample 50 | table timestamp, url, error_message

Sample before aggregation

* | sample 10000
  | stats count() by src_ip

Quick data exploration

source_type="firewall" | sample 10

Representative sample

* | sample 5000
  | top user

Usage Notes

Random selection: Events are randomly selected, not the first N.

Performance: More efficient than processing all events for exploration.

Reproducibility: Results may vary between runs.

vs. head: sample is random, head returns first N events.

  • head - First N events
  • tail - Last N events

risk

Previous Page

sequence

Next Page

Edit this page on GitHub
On this page

On this page

sample
Description
Syntax
Optional Arguments
Examples
Sample 100 events
Default sample (1000)
Sample for testing
Sample before aggregation
Quick data exploration
Representative sample
Usage Notes
Related Commands