API Stability Preview

The queryAnalysis() GraphQL query to analyze a given query. This is a preview and subject to changes.

Syntax

Below is the syntax for the queryAnalysis() query field:

graphql
queryAnalysis(
      viewName: string,
      queryString: string!, 
      languageVersion: LanguageVersionEnum!, 
      isLive: boolean!, 
   ): queryAnalysis!

Below is an example of how this query field might be used:

Raw
graphql
query {
  queryAnalysis(
     queryString: "host:localhost", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:"humio")
  {filterPart, isAggregate, isSinglePhase}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  queryAnalysis( ^
     queryString: \"host:localhost\",  ^
     languageVersion: legacy,  ^
     isLive: true,  ^
     viewName:\"humio\") ^
  {filterPart, isAggregate, isSinglePhase} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  queryAnalysis(
     queryString: \"host:localhost\", 
     languageVersion: legacy, 
     isLive: true, 
     viewName:\"humio\")
  {filterPart, isAggregate, isSinglePhase}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "queryAnalysis": {
      "filterPart": "host:localhost",
      "isAggregate": false,
      "isSinglePhase": true
    }
  }
}

Given Datatypes

For LanguageVersionEnum, there are a few parameters. Below is a list of them along with a description of each:

Table: LanguageVersionEnum

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 30, 2025
federated1boolean  PreviewIndicates if Federated1 version of the LogScale query is used.
filteralertboolean  DeprecatedThis has no effect and is no longer used internally. It will be removed at the earliest in version 1.189.
legacyboolean  PreviewWhether legacy LogScale query language is used.
xdr1boolean  PreviewWhether XDR1 is used.
xdrdetects1boolean  PreviewWhether XDR Detects 1 query language is used.

Returned Datatypes

For queryAnalysis, there are a few parameters. Below is a list of them along with a description of each:

Table: queryAnalysis

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Aug 21, 2025
drilldownsdrilldownsyes PreviewThe number associated with the type of page. See drilldowns.
filterPartstringyes PreviewThe query string up to the first aggregator.
isAggregatebooleanyes PreviewWhether the query contains an aggregator.
isSinglePhasebooleanyes PreviewWhether the query doesn't contain a join-like function.
isValidFilterAlertQuery(viewName: string): booleanmultipleyes Preview

Checks if a query is fit for use for a filter alert.

This is deprecated and is no longer used internally. It will be removed in version 1.207. Use instead the analyzeQuery() query with the suggestedAlertType parameter.