Frequently Asked Questions

This page lists several frequently asked questions on Humio and related software. They include questions you might have before deciding to use Humio. There are some questions on how to install and migrate to Humio, as well as how to get assistance and learn about Humio.

Installation & Migration Questions

Is Humio cloud only, or is it possible to use Humio as a self-hosted solution?

We have customers that use our cloud solution, self-hosted solutions, and hybrids of both options. Consider what works best for your application and organization—we are happy to help you find the configuration to best suit your needs.

Is it easy to migrate from Elastic Stack an other logging systems?

Moving to Humio is easy! We have several common integrations to bring your logs into Humio and we even have a guide on moving from Elastic Stack to Humio—it’s as easy as following a few steps to getting your logs flowing.

Is Humio container ready?

Humio was built with containerization in mind! With integrations and existing setup for Kubernetes, Humio is a solution focused on modern deployment solutions.

How are timezones handled when sharing queries with people in different timezones?

The browser sends its timezone to the server and that determines cutoff for say timechart(span=1day). The timezone is not embedded in the URL, so if a query is shared across timezones the day cutoff will differ. The bucket() and timechart() functions lets you specify an explicit timezone (i.e., timechart(..., timezone=Z)). This will overrule the timezone of the browser. Note, that the x-axis of time charts is still shown in local time.

Can I set the license key using the API?

Yes, through our GraphQL API (you need to be a root user). Below is a curl example to get you going.

Example:

ini
HUMIO_BASE_URL=<example: https://example.com>
API_TOKEN=<you can find this in your account details>
LICENSE=<your license string>

curl ${HUMIO_BASE_URL}/graphql \
   -H "Authorization: Bearer ${API_TOKEN}" \
   -H "Content-type: application/json" \
   -d @- << EOF
  {"query":"mutation {updateLicenseKey(license: \"${LICENSE}\") {__typename}}"}
EOF

Networking Questions

Can I run Humio on IPv6-only, IPv4-only or both?

Humio runs on either or both IP versions, depending on what you specify using HUMIO_JVM_ARGS. By default the process binds on both IPv4 and IPv6. If you use the Docker images provided by Humio for Kafka and Zookeeper, or run the “humio/humio” image that includes both of them, you need to make sure those processes also get the same options regarding IP protocol as the Humio process.

IPv4 Only:

ini
HUMIO_JVM_ARGS=-Djava.net.preferIPv4Stack=true
KAFKA_OPTS=-Djava.net.preferIPv4Stack=true
ZOOKEEPER_OPTS=-Djava.net.preferIPv4Stack=true

IPv6 Only:

ini
HUMIO_JVM_ARGS=-Djava.net.preferIPv6Addresses=true
KAFKA_OPTS=-Djava.net.preferIPv6Addresses=true
ZOOKEEPER_OPTS=-Djava.net.preferIPv6Addresses=true

How do I detect when a host (log source) stops sending logs?

In Humio you can detect when a host or some other log source stops sending logs using the now() function and groupBy():

mysql
groupby(host, function=max(@timestamp, as=@timestamp))
| missing:=(now()-@timestamp)>(5*60*1000)
| missing=true

The above query shows a line for each host that we have not heard from in the last 5 minutes (timestamps in Humio are in milliseconds). You should run the query as a live search in a time interval that is longer than your “missing” threshold—when the last log from a log source is older than your search time interval, the log source will disappear from the result.

Log Management & Ingest Questions

What common log shipping solutions does Humio use?

While this list is not exhaustive, Beats, Logstash, or rsyslog for shipping your logs.

Can Humio Cloud accept logs from syslog?

No. Syslog data is sent to humio using ingest listeners, which are not supported by Humio Cloud.

Can I send multiline events to Humio?

Humio does support receiving events with multiple lines. What Humio does not support is correlating multiple events into a single multiline event, which means that it is up to the log shipper to detect wether an event spans across multiple lines. Filebeat has support for detecting multiline events.

What happened to Dataspaces?

“Repository” is the new term. What used to be a “dataspace” in Humio is now a repository.

The HTTP API includes the path /api/v1/dataspaces/$REPOSITORY_NAME/ to be compatible with existing clients. In this context, the $REPOSITORY_NAME variable is the name of the repository. (It used to be the name of the dataspace).

Alert Questions

Does Humio integrate with any notification systems?

Humio integrates with several common notification methods including email, Slack, and external services like OpsGenie. If you need Humio to work with your particular notification system, please contact our support team.

Why not make a separate user for wall monitors?

Humio’s security model will force a user to re-authenticate after the session expires, since wall monitors are usually non-interactive (don’t have a keyboard)—if you do it this way you will need to figure out how to make the browser re-authenticate periodically.

Are shared secret URLs safe?

They are as safe as any shared secret, but if anyone has the URL, they have read-only access. This might not be acceptable for your organization. In any case there are audit logging and GDPR to considerations you need to make. Often you need to know which users had access to what and when. Under any circumstance we recommend that you limit access to the Humio machines with a firewall or similar, to limit the impact of URLs getting into the wrong hands.