Querying Events' Fields

Querying data in Humio is performed by searching either the raw data of events or by selecting data from specific fields extracted from the event when the data is parsed.

There are different kinds of fields coming from the events:

  • Tag fields using the prefix # define how events are physically stored and indexed.

  • Metadata fields using the prefix @ contain metadata about each event extracted during ingestion. All events will have these "default" fields, e.g. @id or @timestamp. See Metadata Fields further down for the complete list of these fields.

  • User fields is any field that is not a tag or metadata field.

Event fields can be viewed and managed from the Humio User Interface, see Accessing Data in Repositories and Views for more information.

Learn how to query these fields in Humio and discover what you can achieve with query writings at Managing Queries and Frequently Used Query Operations.

Metadata Fields

Each event has some metadata attached to it on ingestion; all metadata fields start with @ to make them easy to identify. All events will contain the following metadata fields by default.

Metadata Field Description
@rawstring The original text of the event. As it keeps the original data on ingestion, this field allows you to do free-text searching across all logs and to extract virtual fields in queries.
@id A unique identifier for the event. Can be used to refer to and re-find specific events.
@timestamp Timestamp in milliseconds since the epoch (1st Jan 1970, 00:00) of the ingested event, e.g. 2022-11-22 09:50:20.100 if the event has an identifiable timestamp.
@timezone The timezone the event originated in, if known. This is often set when the event’s timestamp is parsed.
@ingesttimestamp The timestamp of when the event was ingested. The value is milliseconds-since-epoch.
@timestamp.nanos Extended precision of timestamp below millisecond. E.g. 295000