The analyzeQuery() GraphQL query is used to analyze a query for certain properties. It will let you know if the query is valid, if it would have any errors or warnings in a standard search context. It also will suggest an alert to use with the query.

This query field doesn't validate saved queries, but is expected to do so soon. For when that happens, for more information on saved queries, see the User Functions (Saved Searches) reference page where saved queries are discussed. Also, look at the Searching Data documentation page as it relates to recent queries and saving queries.

Syntax

Below is the syntax for the analyzeQuery() query field:

graphql
analyzeQuery(
     input: AnalyzeQueryArguments!
   ): AnalyzeQueryInfo!

For the input, there's a special datatype, AnalyzeQueryArguments. It has a few parameters, which described in the Given Datatypes section below. The return datatype, AnalyzeQueryInfo is described in the Results Datatypes section. Here's an example of how this query might be used:

Raw
graphql
query {
   analyzeQuery(
     input:{
        queryString: "groupBy([#type,actor.type])",
        arguments:[{name: "groupBy([#type,actor.type])", value: ""}],
        version:{name: "legacy"},
        viewName: "humio-audit"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
   analyzeQuery( ^
     input:{ ^
        queryString: \"groupBy([#type,actor.type])\", ^
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}], ^
        version:{name: \"legacy\"}, ^
        viewName: \"humio-audit\" ^
    } ^
  ) {validateQuery {isValid} , suggestedAlertType {alertType}} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'
"$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
   analyzeQuery(
     input:{
        queryString: \"groupBy([#type,actor.type])\",
        arguments:[{name: \"groupBy([#type,actor.type])\", value: \"\"}],
        version:{name: \"legacy\"},
        viewName: \"humio-audit\"
    }
  ) {validateQuery {isValid} , suggestedAlertType {alertType}}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "analyzeQuery": {
      "validateQuery": {
        "isValid": true
      },
      "suggestedAlertType": {
        "alertType": "AggregateAlert"
      }
    }
  }
}

The results here show that the query is valid. From that, it suggests that an alert might be created with the query using the AggregateAlert query field.

Given Datatypes

For the given datatype, AnalyzeQueryArguments, there are a few parameters. Below is a list of them along with their datatypes and a description of each:

Table: AnalyzeQueryArguments

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
arguments[QueryArgumentInputType]yes The arguments for analyzeQuery. See QueryArgumentInputType.
isLiveboolean  Whether query is for live or static data.
queryStringstringyes The query string for analyzeQuery.
versionLanguageVersionInputTypeyes The version used. See LanguageVersionInputType.
textRepoOrViewName  The name of the view. RepoOrViewName is a scalar.

Returned Datatypes

For AnalyzeQueryInfo, there are a couple of parameters. They're listed here along with descriptions of each:

Table: AnalyzeQueryInfo

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 23, 2024
suggestedAlertTypeSuggestedAlertTypeInfo  Suggested type of alert to use for a given query. Returns null if no suitable alert type could be suggested. The given query isn't guaranteed to be valid for the suggested alert type. See SuggestedAlertTypeInfo.
validateQueryQueryValidationInfoyes Check if the given query contains any errors or warnings when used in a standard search context. See QueryValidationInfo.