Query Functions
Manipulating and formatting functions for extracting information from your event data
Humio's query functions take a set of events, parameters, or configurations. From this, they produce, reduce, or modify values within that set, or in the events themselves within a query pipeline.
Functions broadly fall into two categories, Transformation and Aggregate:
Transformation functions, sometimes referred to as Filter functions, transform or filter data and may add, remove or modify fields.
Aggregate functions combine events into a new results — often a single number or row.
Below is an alphabetical listing of all of Humio query functions.
| Function | Description |
|---|---|
asn() | Determines autonomous system number and organization associated. |
avg() | Calculates the average for a field of a set of events. |
base64Decode() | Performs Base64 decoding of a field. |
beta:param() | Reads given parameter and assigns the value to a field in the event. |
beta:repeating() | Marks the live query the function is used in as repeating. |
bucket() | Extends the groupBy function for grouping by time. |
callFunction() | Calls the named function on a field over a set of events. |
cidr() | Filters events using CIDR subnets. |
collect() | Collects fields from multiple events into one event. |
communityId() | Computes the Community ID, a standard for hashing network flows. (introduced in 1.33) |
concat() | Concatenates the values of a list of fields into a value in a new field. |
concatArray() | Concatenates values of all fields with same name and an array suffix into a new field. |
copyEvent() | Duplicates event so pipeline will see both events. |
count() | Counts given events. |
counterAsRate() | Calculates the rate for a counter field. |
createEvents() | Emits a fixed set of events. |
default() | Creates a field to given parameter and given value. |
drop() | Removes attributes or columns from a result set. |
dropEvent() | Drops completely an event in parser pipeline to stop it from being ingested. |
end() | Assigns the current time as milliseconds since 1970 to the end time of query. |
eval() | Creates a new field by evaluating the provided expression. |
eventFieldCount() | Returns number of fields event uses internally for the values. |
eventInternals() | Add a set of fields describing the storage locations of this event. |
eventSize() | Returns the number of bytes that this event uses internally for the values, not counting the bytes for storing the field names. |
fieldset() | Retrieves a list of available fields. |
fieldstats() | Retrieves stats about fields. |
findTimestamp() | Finds timestamp in given field and parses, trying multiple timestamp formats. |
format() | Formats a string using printf-style. |
formatDuration() | Formats a duration into a more readable string. |
formatTime() | Formats a string according to strftime, similar to unix strftime. |
geography:distance() | Calculates the distance between two geographical coordinates along an ideal earth surface |
geohash() | Calculates a geohash value given two fields representing latitude and longitude. |
groupBy() | Groups events by specified fields and executes aggregate functions on each group. |
hash() | Computes a non-cryptographic hash of a list of fields. |
hashMatch() | Calculates a secure hash of a field and uses it to match events as a filter. |
hashRewrite() | Calculates a secure hash of a field for storing in the event. |
head() | Returns the oldest events. |
holtwinters() | Used to generate a trendline for a periodic dataset. |
in() | Filters records by values where field is in given values. |
ioc:lookup() | Look up IOCs (indicators of compromise). |
ipLocation() | Determines country, city, longitude, and latitude for given IP address. |
join() | Join two Humio searches. |
json:prettyPrint() | Nicer output to a JSON field. |
kvParse() | Key-value parse events. |
length() | Returns the number of characters in a string field. |
linReg() | Computes linear relationship model between two variables using least-squares fitting. |
lookup() | Enhances events with metadata. |
lower() | Changes text of a given string field to lower-case letters. |
lowercase() | Changes field name or content to lowercase for parsers. |
match() | Searches text using a CSV or JSON file and can enhance entries. |
math:abs() | Calculates the absolute value of a field. |
math:arccos() | Calculates the arc cosine of a field. |
math:arcsin() | Calculates the arc sine of a field. |
math:arctan() | Calculates the arc tangent of a value. |
math:arctan2() | Calculates the arc tangent of a value. |
math:ceil() | Rounds field value to smallest integer that's larger than or equal to it. |
math:cos() | Calculates the cosine of a field. |
math:cosh() | Returns the hyperbolic cosine of a double field. |
math:deg2rad() | Converts angles from degrees to radians. |
math:exp() | Calculates Euler's number e raised to the power of a double value in a field. |
math:expm1() | Returns the exponential value of a number minus 1. |
math:floor() | Returns largest integer value not greater than the field value given. |
math:log() | Calculates the natural logarithm (base e) of the value in a double field. |
math:log10() | Calculates the base 10 logarithm of a double field. |
math:log1p() | Calculates the natural logarithm of the sum of field's value and 1. |
math:log2() | Calculates the base 2 logarithm of a double field. |
math:mod() | Calculates the floor modulus of field value and the divisor. |
math:pow() | Calculates the field value to the exponent power. |
math:rad2deg() | Converts angles from radians to degrees. |
math:sin() | Calculates the sine of a field. |
math:sinh() | Calculates the hyperbolic sine of a double field. |
math:spherical2cartesian() | Calculates the average for a field of a set of events. |
math:sqrt() | Calculates the rounded positive square root of a double field. |
math:tan() | Calculates the trigonometric tangent of an angle in a field. |
math:tanh() | Calculates the hyperbolic tangent of a field. |
max() | Finds the largest number for the specified field over a set of events. |
min() | Finds the smallest number for the specified field over a set of events. |
now() | Assigns the current time value as milliseconds since 1970. |
parseCEF() | Parses CEF version 0.x encoded messages. |
parseCsv() | Parses a CSV-encoded field into known columns. |
parseFixedWidth() | Parses a fixed width-encoded field into known columns. |
parseHexString() | Parses input from hex encoded bytes, decoding resulting bytes as a string. |
parseInt() | Converts an integer from any radix or base to base-ten, decimal radix. |
parseJson() | Parses specified fields as JSON. |
parseLEEF() | Parses LEEF version 1.0 and 2.0 encoded messages. |
parseTimestamp() | Parses a string into a timestamp. |
parseUrl() | Extracts URL components from a field. |
parseXml() | Parses specified field as XML. |
percentile() | Returns one event with a field for each percentile specified. |
range() | Finds numeric range between smallest and largest numbers for field over a set of events. |
rdns() | Events using RDNS lookup. |
regex() | Extracts new fields using a regular expression. |
rename() | Renames a given field. |
replace() | Replaces each substring that matches given regular expression with given replacement. |
round() | Rounds an input field up or down, depending on which is nearest. |
sample() | Samples the event stream. |
sankey() | Produces data compatible with Sankey widget. |
select() | Used to specify a set of fields to select from each event. |
selectFromMax() | Selects event with highest value for specified field |
selectFromMin() | Selects event with lowest value for specified field |
selectLast() | Specify fields to select from events, keeping value of most recent event for each field. |
selfJoin() | Used to collate data from events that share a key. |
selfJoinFilter() | Runs query to determine IDs, and then gets all events containing one of them. |
series() | Collects a series of values for selected fields from multiple events into one or more events. |
session() | Collects events into sessions, and aggregates them. |
shannonEntropy() | Calculates a entropy measure from a string of characters. |
sort() | Sorts events by their fields. |
split() | Splits an event structure created by json array into distinct events. |
splitString() | Splits a string by specifying a regular expression by which to split. |
start() | Assigns the current time as milliseconds since 1970. |
stats() | Used to compute multiple aggregate functions over the input. |
stdDev() | Calculates the standard deviation for a field over a set of events. |
stripAnsiCodes() | Removes ANSI color codes and movement commands. |
subnet() | Computes a subnet from a IPV4 field. |
sum() | Calculates the sum for a field over a set of events. |
table() | Used to create a widget to present the data in a table. |
tail() | Returns the newest events. |
test() | Evaluates boolean expression and filters events. |
time:dayOfMonth() | Gets the day of the month of a timestamp field. |
time:dayOfWeek() | Gets day of week from 1 (Mon) to 7 (Sun) of a timestamp. |
time:dayOfWeekName() | Gets the English display name of day of the week of a timestamp field. |
time:dayOfYear() | Gets the day of the year of a timestamp field, from 1 to 365, or 366 in a leap year. |
time:hour() | Gets the hour (24-hour clock) of a timestamp field. |
time:millisecond() | Gets the millisecond of a timestamp field. |
time:minute() | Gets the minute value of a timestamp field. |
time:month() | Gets the month of a timestamp field (from 1 to 12). |
time:monthName() | Gets the English name of month of a timestamp field (e.g., January). |
time:second() | Gets the second of a timestamp field. |
time:weekOfYear() | Gets the week number within a year of a timestamp, a value from 1 to 53. |
time:year() | Gets the year of a timestamp field. |
timeChart() | Used to draw a linechart where the x-axis is time. |
tokenHash() | Calculates a structure hash which is equal for similarly structured input. |
top() | Finds the top results based on a given field. |
transpose() | Transposes a query results set by creating an event for each attribute. |
unit:convert() | Converts values between different units. |
upper() | Changes contents of a string field to upper-case letters. |
urlDecode() | URL-decodes the contents of a string field. |
urlEncode() | URL-encodes the contents of a string field. |
window() | Computes aggregate functions over a sliding window of data. |
worldMap() | Used to produce data compatible with the World Map widget. |
writeJson() | Writes fields as JSON. |
xml:prettyPrint() | Nicer output to an XML field. |
Table: Query Functions