queryAnalysis()

API Stability Preview

The queryAnalysis() GraphQL query to analyze a given query. This is a preview and subject to changes.

Related to this query field is the query, analyzeQuery(). It can validate saved queries and will return any errors or warnings in a standard search context. It will also suggest an alert to use with the query. There is also the queryAssistance() query, which returns query assistance for a search. And there is validateQuery() query, which is used to check if a query complies. If not, it can return error messages.

Syntax

graphql

queryAnalysis(
      viewName: string,
      queryString: string!, 
      isLive: boolean!,
      languageVersion: LanguageVersionEnum!
   ): queryAnalysis!

For the input, you'll need to provide the name of the view or repository, the query itself, whether the query is live, and the language version (e.g., legacy). For the results, you might want to know if it's suitable for an aggregate alert and any diagnostic information — by way of the drill down.

Example

Below is an example of how this query field might be used:

Raw

graphql

query {
  queryAnalysis(
     queryString: "host:localhost", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:"humio")
  {filterPart, isAggregate, isSinglePhase}
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  queryAnalysis( ^
     queryString: \"host:localhost\",  ^
     languageVersion: legacy,  ^
     isLive: true,  ^
     viewName:\"humio\") ^
  {filterPart, isAggregate, isSinglePhase} ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "queryAnalysis": {
      "filterPart": "host:localhost",
      "isAggregate": false,
      "isSinglePhase": true
    }
  }
}

Given Datatype

The input datatype is used to indicate the language version (e.g., legacy). Below is a list of choices along with a description of each:

Table: LanguageVersionEnum

Parameter	Type	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Oct 29, 2025
federated1	boolean	`Long-Term`	Indicates if Federated version of the LogScale query is used.
filteralert	boolean	`Deprecated`	This has no effect and is no longer used internally. It will be removed at the earliest in version 1.189.
legacy	boolean	`Long-Term`	Whether legacy LogScale query language is used.
xdr1	boolean	`Long-Term`	Whether XDR1 is used.
xdrdetects1	boolean	`Long-Term`	Whether XDR Detects 1 query language is used.

Returned Datatype

For the returned datatype, through the drilldowns , you can get any diagnostic information. The table below lists the parameters available and links to sub-parameters:

Table: queryAnalysis

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Aug 21, 2025
drilldowns	drilldowns	yes	`Preview`	The number associated with the type of page. See drilldowns.
filterPart	string	yes	`Preview`	The query string up to the first aggregator.
isAggregate	boolean	yes	`Preview`	Whether the query contains an aggregator.
isSinglePhase	boolean	yes	`Preview`	Whether the query doesn't contain a join-like function.
isValidFilterAlertQuery(viewName: string): boolean	multiple	yes	`Preview`	Checks if a query is fit for use for a filter alert. This is deprecated and is no longer used internally. It will be removed in version 1.207. Use instead the analyzeQuery() query with the suggestedAlertType parameter.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes

queryAnalysis()

Syntax

Example

Given Datatype

Returned Datatype

Enter search term