Querying Events' Fields
Querying data in Humio is performed by searching either the raw data of events or by selecting data from specific fields extracted from the event when the data is parsed.
There are different kinds of fields coming from the events:
Tag fields using the prefix
#define how events are physically stored and indexed.
Metadata fields using the prefix
@contain metadata about each event extracted during ingestion. All events will have these "default" fields, e.g. @id or @timestamp. See Metadata Fields further down for the complete list of these fields.
User fields is any field that is not a tag or metadata field.
Event fields can be viewed and managed from the Humio User Interface, see Accessing Data in Repositories and Views for more information.
Each event has some metadata attached to it on ingestion; all metadata
fields start with
@ to make them easy to identify.
All events will contain the following metadata fields by default.
|@rawstring||The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries.|
|@id||A unique identifier for the event. Can be used to refer to and re-find specific events.|
Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00)
of the ingested event, e.g. |
|@timezone||The timezone the event originated in, if known. This is often set when the event’s timestamp is parsed.|
|@ingesttimestamp||The timestamp of when the event was ingested. The value is milliseconds-since-epoch.|
Extended precision of timestamp below millisecond. E.g.