Falcon LogScale Documentation

Whenever a function accepts a function as an argument, there are some special rules. For all variations of groupBy(), bucket() and timeChart(), that take a function= argument, you can also use a composite function. Composite functions take the form { f1(..) | f2(..) } which works like the composition of f1 and f2. For example, you can do

groupBy(type, function={ avgFoo := avg(foo) | outFoo := round(avgFoo) })

You can also use filters inside such composite function calls, but not saved queries.

Incidentally, queries can contains comments. This is useful for long multi-line queries and especially with saved queries since later you may not remember the purpose of each step. Below is an example of a comment embedded in a query:

#type=accesslog // choose the type
| top(url)  // count urls and choose the most frequently used

In addition to built-in functions, you can create your own functions by saving a query you use often. Then it can be used as a top-level element of another query, similar to a function call.

To use a saved query this way you invoke it using the syntax $"SAVED_QUERY_NAME"() or, if the name does not contain whitespace or special characters you can use $nameOfSavedQuery() without quotes. A typical use for this is to define a filter or extraction ruleset that you can use as a prefix of another query.

Below is an example of how you might name and use a custom function:

$"My Saved Query"() | $filterOutFalsePositive() | ...

host = ?host

$findhost(host="gendarme")

regex(regex="Service exited due to (?<signal>\S+)")| signal = ?signal
| regex(regex="sent by (?<process>\S+)[\d+]")| process = ?process

$killedprocess(signal="SIGKILL", process="mds")

?{signal="*" }
| ?{process="*"}
| regex(regex="Service exited due to (?<signal>\S+)")
| signal = ?signal
| regex(regex="sent by (?<process>\S+)\[\d+\]")
| process = ?process

$killedprocess(process="mds")

When showing search results in a table it is possible to create a link that is clickable. If the value of a field looks like a link, the UI will make it clickable. Links can be constructed using the search language. The format() function can be handy for this.

$extractRepo() | top(repo) | format("https://example.com/%s", field=repo, as=link)

For further clarity you can use Markdown formatting to give the link a title:

$extractRepo() | top(repo) | format("[Link](https://example.com/%s)", field=repo, as=link)

Some functions have limitations around their use in live queries, such as join() — see beta:repeating() and selfJoin().

Beginning with version 1.17, Humio provides an alternative way of doing live queries to overcome these limitations: repeating queries. A repeating query is a static query that is executed at regular intervals and can be used in the same places as live queries, such as in dashboards or alerts.

When this feature is enabled,you can turn a live query into a repeating by adding the beta:repeating() function to the query. For example, this query will be repeated every 10 minutes and can be used in dashboards and alerts:

selfJoin(field=email_id, where=[{from=peter},{to=anders}]) | beta:repeating(10m)

Using beta:repeating() in a static query is allowed, but has no effect.

If query snapshot cache is enabled, the static queries made by a repeating query will reuse previous results and will consequently not be as much work for Humio to execute as a regular static query. When this happens, the update interval will be adjusted to the nearest time-bucket.

mutation {
    enableFeature(feature: RepeatingQueries)
}