Operators

Comparison Operators on Numbers

Query

Description

statuscode < 400

Less than

statuscode <= 400

Less than or equal to

statuscode = 400

Equal to

statuscode != 400

Not equal to

statuscode >= 400

Greater than or equal to

statuscode > 400

Greater than

400 = statuscode

(!) The field ‘400’ is equal to statuscode.

400 > statuscode

This comparison generates an error. You can only perform a comparison between numbers. <br/>In this example, statuscode is not a number, and 400 is the name of an field.

Note

The left-hand-side of the operator is interpreted as a field name. If you write 200 = statuscode, Humio tries to find a field named 200 and test if its value is statuscode.

Warning

If the specified field is not present in an event, then the comparison always fails—unless it is !=. You can use this behavior to match events that do not have a given field, using either not (foo = *) or the equivalent foo != * to find events that do not have the field foo.

Tag Filters

Tag filters are a special kind of field filter. They behave in the same way as regular filters.

In queries, the tag filters are usually separated from the rest of the query by a pipe character | (see Query Structure. We recommend that you include the pipe character before tag filters in your queries to improve the readability of your queries.

However, these pipe characters are not mandatory. The Humio query engine can recognize tag filters, and use this information to narrow down the number of data sources to search. This feature decreases query time.

See the tags documentation for more on tags.

Logical Operators

You can combine filters using the and, or, not Boolean operators, and group them with parentheses. ! can also be used as an alternative to unary not.

Examples

Query

Description

foo and user=bar

Match events with foo in any field and a user field matching bar.

foo bar

Since the and operator is implicit, you do not need to include it in this simple type of query.

statuscode=404 and (method=GET or method=POST)

Match events with 404 in their statuscode field, and either GET or POST in their method field.

foo not bar

This query is equivalent to the query foo and (not bar).

!bar

This query is equivalent to the query not bar.

not foo bar

This query is equivalent to the query (not foo) and bar. This is because the not operator has a higher priority than and and or.

foo and not bar or baz

This query is equivalent to the query foo and ((not bar) or baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.

foo or not bar and baz

This query is equivalent to the query foo or ((not bar) and baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.

foo not statuscode=200

This query is equivalent to the query foo and statuscode!=200.

Negating the Result of Filter Functions

The not and ! operators can also be used to negate filter function expressions, which is syntactically more clean than passing in an explicit negate=true argument. Examples of this are

humio
... | !cidr(ip, subnet="127.0.0/16") | ...
... | !in(field, values=[a, b, c]) | ...
... | !regex("xxx") | ...