Query Filters

The most basic query in Humio is to search for a particular string in any field of events. All fields (except for the special @id, @timestamp, @ingesttimestamp fields and the tag fields are searched, including @rawstring. See the Events documentation for more details on @rawstring.

Free-Text Filters

Grepping runs on the fields in the event that are present at the start of the pipeline when performing a search. It does not take into account any fields added or removed within the pipeline.

When grepping is applied in a parser this differs: The event is processed as it is present at the point where the grepping happens. Humio recommends using Field filters() whenever possible within a parser to avoid ambiguous matches.

Note: Humio versions before 1.13 searched only the @rawstring field when grepping.

Grepping does not specify the order in which fields are searched. When not extracting fields, the order in which fields are checked is not relevant as any match will let the event “pass” the filter.

But when extracting fields using a regular expression, matches can yield non-deterministic extracted fields. To make extracted fields be the same if a match was also possible in the older versions, Humio prefers a match on @rawstring before trying other fields when extracting fields.

Note

You can perform more complex regular expression searches on all fields of an event by using the regex() function or the // regex syntax.

Query

Description

foo

Find all events matching foo in any field of the events.

“foo bar”

Use quotes if the search string contains white spaces or special characters, or is a keyword.

msg: \”welcome \”

You can include quotes in the search string by escaping them with backslashes.

You can also use a regular expression on all fields. To do this, write the regex.

Query

Description

/foo/

Find all events matching foo in any field of the events.

/foo/i

Find all events matching foo ignoring case.

Field Filters

Besides the free-text filters, you can also query specific event fields, both as text and as numbers.

Query

Description

url = *login*

The url field contains login. You can use * as a wild card.

user = Turing

The user field ends with Turing.

user =“Alan Turing”

The user field equals Alan Turing.

user !=“Alan Turing”

The user field does not equal Alan Turing.

url != *login*

The url field does not contain login.

user = *

Match events that have the field user.

user != *

Match events that do not have the field user.

name =“”

Match events that have a field called name but with the empty string as value.

user=“Alan Turing”

You do not need to put spaces around operators (for example, = or !=).

Regex Filters

In addition to globbing (* appearing in match strings) you can match fields using regular expressions.

Query

Description

url = /login/

The url field contains login.

user = /Turing$/

The user field ends with Turing.

loglevel = /error/i

The loglevel field matches error case insensitively; for example, it could be Error, ERROR or error.

/user with id (?<id>S+) logged in/ | top(id)

The user id is extracted into a field named id at search time. The id is then used in the top function to find the users that logged in the most. It is possible to extract fields in regular expressions using named groups. See Grepping for details.