Example Queries

Let's enquire into different log entities, interpret some example queries and inspect them line by line.

Example 1

humio
status >=400
| method != PATCH
| top(method, limit=3)

We can break this down to:

  • Search for status codes greater or equal to 400:

    humio
    status >=400
  • Select all events having any HTTP method (GET, POST, etc.) except PATCH

humio
| method != PATCH
  • Select the top three HTTP methods having the highest number of events that match the two conditions above and give the total count for each of the three methods found.

    humio
    | top(method, limit=3)

Example 2

humio
#type=humio #kind=metrics name=load-segment-total
| timeChart(#vhost, function=max(m1), limit=30)

We can break this down to:

  • Select all events having field #type equal to humio, #kind equal to metrics and name equal to load-segment-total

humio
#type=humio #kind=metrics name=load-segment-total
  • Draw a linechart where the X-axis displays the time values grouped into buckets and the Y-axis shows results with one line per #vhost, limiting the results to only the top 30 vhosts that have the maximum values.

humio
| timeChart(#vhost, function=max(m1), limit=30)

Example 3

humio
#host=github #parser=json
| repo.name=docker/*
| groupBy(repo.name, function=count())
| sort()

We can break this down to:

  • Narrow the search to events in which the #host equals github, and the #parser used was json

humio
#host=github #parser=json
  • Limit results to events that are taken from the GitHub repositories that start with the name, docker using a filter expression in cases where you're searching a view based on multiple joined repositories.

humio
repo.name=docker/*
  • Aggregate the filtered results by first grouping by the repository name and then counting the number of events (github and json events only) from each docker repository.

humio
groupBy(repo.name, function=count())
  • Sort by default field _count — results are sorted numerically, in descending order, so you get the most frequently mentioned repo.names at the top of the list.

humio
sort()

Example 4

humio
url=/^\/add_to_cart\/(?<product_id>\d+)/
| match(file="products.csv", column=product_id, field=product_id)
| sum(product_price, as="Total revenue")

Suppose we have a add_to_cart/productid field in our logs and that we have enriched these logs with product_name and product_price fields by importing a file named products.csv.

We can break this down to:

  • Find anything after /add_to_cart in the URL and make that into a product_id that consists of one or more digits

humio
url=/^\/add_to_cart\/(?<product_id>\d+)/
  • Using the product_id, look up the product to get product_name and product_price from the products.csv file

humio
| match(file="products.csv", column=product_id, field=product_id)
  • Sum all the product_price values and report the result in a field named Total revenue

humio
| sum(product_price, as="Total revenue")