| API Stability |
Short-Term
|
The analyzeQuery() GraphQL query is used to analyze a query for certain properties. It will let you know if the query is valid, if it would have any errors or warnings in a standard search context. It also will suggest an alert to use with the query.
This query field doesn't validate saved queries, but is expected to do so soon. For when that happens, for more information on saved queries, see the User Functions (Saved Searches) reference page where saved queries are discussed. Also, look at the Searching Data documentation page as it relates to recent queries and saving queries.
Syntax
Below is the syntax for the analyzeQuery() query field:
analyzeQuery(
input: AnalyzeQueryArguments!
): AnalyzeQueryInfo!For the input, there's a special datatype, AnalyzeQueryArguments. It has a few parameters, which described in the Given Datatypes section below. The return datatype, AnalyzeQueryInfo is described in the Results Datatypes section. Here's an example of how this query might be used:
query {
analyzeQuery(
input:{
queryString: "groupBy([#type,actor.type])",
arguments:[{name: "groupBy([#type,actor.type])", value: ""}],
version:{name: "legacy"},
viewName: "humio-audit"
}
) {validateQuery {isValid} , suggestedAlertType {alertType}}
}{
"data": {
"analyzeQuery": {
"validateQuery": {
"isValid": true
},
"suggestedAlertType": {
"alertType": "AggregateAlert"
}
}
}
}The results here show that the query is valid. From that, it suggests that an alert might be created with the query using the AggregateAlert query field.
Given Datatypes
For AnalyzeQueryArguments, there are a few parameters. Below is a list of them along with descriptions of each:
Table: AnalyzeQueryArguments
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Mar 28, 2025 | |||||
arguments | [QueryArgumentInputType] | yes | Short-Term | The arguments for analyzeQuery. See QueryArgumentInputType. | |
isLive | boolean | Short-Term | Whether query is for live or static data. | ||
queryString | string | yes | Short-Term | The query string for analyzeQuery. | |
rejectFunctions | [string] | yes | Short-Term | A list of function names which are disallowed when validating the query. | |
strict | boolean | yes | true | Short-Term | Whether query analysis is performed in strict mode. When true, missing query arguments are reported as validation errors, and saved query uses are validated. When false, missing query arguments and all saved query uses are not reported as errors. |
version | LanguageVersionInputType | yes | Short-Term | The version used. See LanguageVersionInputType. | |
viewName | RepoOrViewName | Short-Term | The name of the view. RepoOrViewName is a scalar. | ||
Returned Datatypes
For AnalyzeQueryInfo, there are a couple of parameters. They're listed here along with descriptions of each:
Table: AnalyzeQueryInfo
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Sep 23, 2024 | |||||
suggestedAlertType | SuggestedAlertTypeInfo | Short-Term | Suggested type of alert to use for a given query. Returns null if no suitable alert type could be suggested. The given query isn't guaranteed to be valid for the suggested alert type. See SuggestedAlertTypeInfo. | ||
validateQuery | QueryValidationInfo | yes | Short-Term | Check if the given query contains any errors or warnings when used in a standard search context. See QueryValidationInfo. | |