analyzeQuery()

The analyzeQuery() GraphQL query is used to analyze a query for certain properties. It will let you know if the query is valid, if it would have any errors or warnings in a standard search context. It also will suggest an alert to use with the query.

Syntax

Below is the syntax for the analyzeQuery() query field:

graphql

analyzeQuery(
     input: AnalyzeQueryArguments!
   ): AnalyzeQueryInfo!

For the input, there's a special datatype, AnalyzeQueryArguments. It has a few parameters, which described in the Given Datatypes section below. The return datatype, AnalyzeQueryInfo is described in the Results Datatypes section. Here's an example of how this query might be used:

Raw

graphql

query {
   analyzeQuery(
     input:{
        queryString: "groupBy([#type,actor.type])",
        arguments:[{name: "groupBy([#type,actor.type])", value: ""}],
        version:{name: "legacy"},
        viewName: "humio-audit"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
   analyzeQuery( ^
     input:{ ^
        queryString: \"groupBy([#type,actor.type])\", ^
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}], ^
        version:{name: \"legacy\"}, ^
        viewName: \"humio-audit\" ^
    } ^
  ) {validateQuery {isValid} , suggestedAlertType {alertType}} ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'
"$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "analyzeQuery": {
      "validateQuery": {
        "isValid": true
      },
      "suggestedAlertType": {
        "alertType": "AggregateAlert"
      }
    }
  }
}

The results here show that the query is valid. From that, it suggests that an alert might be created with the query using the AggregateAlert query field.

Given Datatypes

For the given datatype, AnalyzeQueryArguments, there are a few parameters. Below is a list of them along with their datatypes and a description of each:

Table: AnalyzeQueryArguments

Parameter	Type	Required	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
`arguments`	[`QueryArgumentInputType`]	yes	The arguments for analyzeQuery. See `QueryArgumentInputType`.
`isLive`	boolean		Whether query is for live or static data.
`queryString`	string	yes	The query string for analyzeQuery.
`version`	`LanguageVersionInputType`	yes	The version used. See `LanguageVersionInputType`.
`text`	`RepoOrViewName`		The name of the view. RepoOrViewName is a scalar.

Returned Datatypes

For AnalyzeQueryInfo, there are a couple of parameters. They're listed here along with descriptions of each:

Table: AnalyzeQueryInfo

Parameter	Type	Required	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 23, 2024
`suggestedAlertType`	`SuggestedAlertTypeInfo`		Suggested type of alert to use for a given query. Returns null if no suitable alert type could be suggested. The given query isn't guaranteed to be valid for the suggested alert type. See `SuggestedAlertTypeInfo`.
`validateQuery`	`QueryValidationInfo`	yes	Check if the given query contains any errors or warnings when used in a standard search context. See `QueryValidationInfo`.

GraphQL Queries

GraphQL Mutation Fields

GraphQL Datatypes

analyzeQuery()

Syntax

Given Datatypes

Returned Datatypes

Enter search term