Example Queries

Let's enquire into different log entities, interpret some example queries and inspect them line by line.

Example 1

humio
status >=400
| method != PATCH
| top(method, limit=3)

We can break this down to:

  • Search for status codes greater or equal to 400:

    humio
    status >=400
  • Select all events having any HTTP method (GET, POST, etc.) except PATCH

humio
| method != PATCH
  • Select the top 3 HTTP methods having the highest number of events that match the two conditions above and give the total count for each of the three methods found.

    humio
    | top(method, limit=3)

Example 2

humio
#type=humio #kind=metrics name=load-segment-total
| timeChart(#vhost, function=max(m1), limit=30)

We can break this down to:

  • Select all events having field #type equal to humio, #kind equal to metrics and name equal to load-segment-total

humio
#type=humio #kind=metrics name=load-segment-total
  • Draw a linechart where the X-axis displays the time values grouped into buckets and the Y-axis shows results with one line per #vhost, limiting the results to only the top 30 vhosts that have the maximum values.

humio
| timeChart(#vhost, function=max(m1), limit=30)

Example 3

humio
#host=github #parser=json
| repo.name=docker/*
| groupBy(repo.name, function=count())
| sort()

We can break this down to:

  • Narrow the search to events in which the #host equals github, and the #parser used was json

humio
#host=github #parser=json
  • Limit results to events that are taken from the GitHub repositories that start with the name, docker using a filter expression in cases where you're searching a view based on multiple joined repositories.

humio
repo.name=docker/*
  • Aggregate the filtered results by first grouping by the repository name and then counting the number of events (github and json events only) from each docker repository.

humio
groupBy(repo.name, function=count())
  • Sort by default field _count — results are sorted numerically, in descending order, so you get the most frequently mentioned repo.names at the top of the list.

humio
sort()

Example 4

humio
url=/^\/add_to_cart\/(?<product_id>\d+)/
| match(file="products.csv", column=product_id, field=product_id)
| sum(product_price, as="Total revenue")

Suppose we have a add_to_cart/productid field in our logs and that we have enriched these logs with product_name and product_price fields by importing a file named products.csv.

We can break this down to:

  • Find anything after /add_to_cart in the URL and make that into a product id that consists of one or more digits

humio
url=/^\/add_to_cart\/(?<product_id>\d+)/
  • Using the product_id, look up the product to get product_name and product_price from the products.csv file

humio
| match(file="products.csv", column=product_id, field=product_id)
  • Sum all the product_price values and report the result in a field named Total revenue

humio
| sum(product_price, as="Total revenue")