API Stability Short-Term

The analyzeQuery() GraphQL query is used to analyze a query for certain properties. It validates saved queries when a viewName has been defined. It'll let you know if it would have any errors or warnings in a standard search context. It also will suggest an alert to use with the query.

For more information on saved queries, see the User Functions (Saved Searches) reference page where saved queries are discussed. Also, look at the Search Data documentation page as it relates to recent queries and saving queries.

Syntax

Below is the syntax for the analyzeQuery() query field:

graphql
analyzeQuery(
     input: AnalyzeQueryArguments!
   ): AnalyzeQueryInfo!

For the input, there's a special datatype, AnalyzeQueryArguments. It has a few parameters, which described in the Given Datatypes section below. The return datatype, AnalyzeQueryInfo is described in the Returned Datatypes section. Here's an example of how this query might be used:

Raw
graphql
query {
   analyzeQuery(
     input:{
        queryString: "groupBy([#type,actor.type])",
        arguments:[{name: "groupBy([#type,actor.type])", value: ""}],
        version:{name: "legacy"},
        viewName: "humio-audit"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
   analyzeQuery( ^
     input:{ ^
        queryString: \"groupBy([#type,actor.type])\", ^
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}], ^
        version:{name: \"legacy\"}, ^
        viewName: \"humio-audit\" ^
    } ^
  ) {validateQuery {isValid} , suggestedAlertType {alertType}} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "analyzeQuery": {
      "validateQuery": {
        "isValid": true
      },
      "suggestedAlertType": {
        "alertType": "AggregateAlert"
      }
    }
  }
}

The results here show that the query is valid. From that, it suggests that an aggreate alert might be created with the query.

Given Datatypes

For AnalyzeQueryArguments, there are a few parameters. Below is a list of them along with descriptions of each:

Table: AnalyzeQueryArguments

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Aug 18, 2025
arguments[QueryArgumentInputType]  Short-TermThe arguments for analyzeQuery. See QueryArgumentInputType.
isLiveboolean  Short-TermWhether query is for live or static data.
queryStringstringyes Short-TermThe query string for analyzeQuery.
rejectFunctions[string]  Short-TermA list of function names which are disallowed when validating the query.
strictboolean trueShort-TermWhether query analysis is performed in strict mode. When true, missing query arguments are reported as validation errors, and saved query uses are validated. When false, missing query arguments and all saved query uses are not reported as errors.
timeIntervalQueryTimeInterval  Short-TermA time range for which the query is intended to be run. The interval will be validated syntactically and certain query functions can be further validated. Allows for partial time intervals with analyzeQuery() -- default time interval set in line with query jobs. See QueryTimeInterval.
versionLanguageVersionInputTypeyes Short-TermThe version used. See LanguageVersionInputType.
viewNameRepoOrViewName  Short-TermThe name of the view. RepoOrViewName is a scalar.

Returned Datatypes

For AnalyzeQueryInfo, there are a couple of parameters. They're listed here along with descriptions of each:

Table: AnalyzeQueryInfo

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Aug 19, 2025
analysisResultQueryAnalysisResultyes PreviewThe results from statically analyzing the query. See QueryAnalysisResult.
suggestedAlertTypeSuggestedAlertTypeInfo  Short-TermSuggested type of alert to use for a given query. Returns null if no suitable alert type could be suggested. The given query isn't guaranteed to be valid for the suggested alert type. See SuggestedAlertTypeInfo.
validateQueryQueryValidationInfoyes Short-TermCheck if the given query contains any errors or warnings when used in a standard search context. See QueryValidationInfo.