Identifying Queries on Remote Clusters

To identify queries within the LogScale humio repository in a remote cluster made by a parent multi-cluster view requires identify the original query in the logs, and then searching for the query ID on the remote cluster.

For example:

  1. Identify the ID of the orginal query on the parent cluster or multi-cluster view. If the query was made via an API, it will be part of the metadata returned.

    To find the query ID through the UI, search the humio by searching for the value of the queryInput field. For example, if the query contained the string numThreads:

    logscale
    queryInput=/numThread/

  2. In the returned data, examine the queryID field. A query that has been submitted to a remote cluster will have an ID that ends with -F-######, where #### is another random identity string. For example:

    csv
    "queryID","source"
"IQ-1zegL8IHG7zuxeXvsvIeZclK-F-mZf2NVu6GV2VLN8sq8GjuI2G","console.log"
"IQ-dhHLvv15G7RXH8fPNqZVZ20P-F-VuG2eVlIwpgqVVfb1nbRVQqe","console.log"

    The string after F- is the query ID of the remote cluster. The value should also be available within the federationId field.

  3. To find the query on the remote cluster, search the humio repository for the query ID string:

    logscale
    queryID=/F-mZf2NVu6GV2VLN8sq8GjuI2G/