humio-audit Query Structure
The humio-audit repository's query structure captures detailed information about audit event queries, including timing, execution parameters, and search criteria. The structure contains essential fields that track query characteristics such as time intervals, interactive status, live mode settings, language versions, and timezone offsets, providing comprehensive audit trail data for scheduled searches and alerts.
The query structure defines information about the query used at the time of the audit event. A scheduled search or alert uses a query executed by a specific user with specific criteria. The basic format of the structure has the following fields:
| Field | Description |
|---|---|
| query.allowEventSkipping | whether event skipping was enabled |
| query.arguments | arguments for the parameters specified in the query |
| query.around | was the result 'around' a specific event ID |
| query.autobucketCount | the number of buckets the system tried to create if bucketing was enabled |
| query.computeFieldStats | did the query compute the field stats |
| query.dashboardFilter | the dashboard filter used |
| query.dashboardFilterVersion | the version of the dashboard filter if used |
| query.doneCriteria | criteria that could allow the query coordinator to stop the query early |
| query.end | the end time of the selected interval |
| query.extraTags | extra tags that were added to the query |
| query.includeDeletedEvents | did the query included deleted events |
| query.ingestEnd | timestamp end of when the returned events were ingested. |
| query.ingestStart | timestamp start of when the returned events were ingested. |
| query.intervals(ingestTimeInterval) | intervals the query searched |
| query.isAlertQuery | was the query triggered as part of an alert |
| query.isInteractive | was the query interactive (true if through the UI or via the API; false when through an automation such as an alert or scheduled search). The value is used by LogScale to determine whether the user can continue to interact with the query results and enables LogScale to be more responsive in those situations. |
| query.isLive | was the query executed in live mode |
| query.isRepeatingSubquery | was it a repeating subquery of another query |
| query.languageVersion | what language version was used to parse the query string |
| query.noResultUntilDone | was the result delayed until the full data set was ready (uused in some alerts) |
| query.queryString | the query string |
| query.showQueryEventDistribution | whether query event distibution was enabled |
| query.start | the start time of the selected interval |
| query.timeZoneOffsetMinutes | timezone offset |
| query.useIngestTime | the timestamp when the data was ingested |
| query.wantsAutoBucketing | whether the query wanted auto bucketing |