Summary

The queryAnalysis() GraphQL query to analyze a given query. This is a preview and subject to changes.

API Stability Preview

Syntax

graphql
queryAnalysis(
      viewName: string,
      queryString: string!, 
      isLive: boolean!,
      languageVersion: LanguageVersionEnum!
   ): queryAnalysis!

For the input, you'll have to give the name of the view or repository, the query itself, indicate whether the query is live, and specify the language version. See the Input Parameters section for more details.

For the results, you might want to know if it's suitable for an aggregate alert and any diagnostic information — by way of the drill down. See the Returned Values section for more.

Example

Raw
graphql
query {
  queryAnalysis(
     queryString: "host:localhost", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:"humio")
  {filterPart, isAggregate, isSinglePhase}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  queryAnalysis( ^
     queryString: \"host:localhost\",  ^
     languageVersion: legacy,  ^
     isLive: true,  ^
     viewName:\"humio\") ^
  {filterPart, isAggregate, isSinglePhase} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "queryAnalysis": {
      "filterPart": "host:localhost",
      "isAggregate": false,
      "isSinglePhase": true
    }
  }
}

Input Parameters

For the input, you'll need to provide the name of the view or repository, the query itself, indicate whether the query is live, and specify the language version (e.g., legacy).

Table: Input Parameters & Datatypes

Parameter Type Required Default Description
This table contains all input parameters for this query. Since one of the parameters uses a special datatype, an additional table is included below with its parameters.
isLive boolean yes   Whether the query is working with live data.
languageVersion LanguageVersionEnum yes   The version of the LogScale query language to use.
queryString string yes   The query string to analyze.
viewName string     The name of the view or repository.

This special datatype is used to indicate the language version (e.g., legacy). Below is a list of choices along with a description of each:

Table: LanguageVersionEnum Enum Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Oct 29, 2025
federated1boolean  Long-TermIndicates if Federated version of the LogScale query is used.
filteralertboolean  DeprecatedThis has no effect and is no longer used internally. It will be removed at the earliest in version 1.189.
legacyboolean  Long-TermWhether legacy LogScale query language is used.
xdr1boolean  Long-TermWhether XDR1 is used.
xdrdetects1boolean  Long-TermWhether XDR Detects 1 query language is used.

Returned Values

For the results, you can get any diagnostic information. The table below lists the choices and links to sub-choices:

Table: queryAnalysis Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Aug 21, 2025
drilldownsdrilldownsyes PreviewThe number associated with the type of page. See drilldowns.
filterPartstringyes PreviewThe query string up to the first aggregator.
isAggregatebooleanyes PreviewWhether the query contains an aggregator.
isSinglePhasebooleanyes PreviewWhether the query doesn't contain a join-like function.
isValidFilterAlertQuery(viewName: string): booleanmultipleyes Preview

Checks if a query is fit for use for a filter alert.

This is deprecated and is no longer used internally. It will be removed in version 1.207. Use instead the analyzeQuery() query with the suggestedAlertType parameter.