Query Functions

Humio’s query functions take a set of events, parameters, or configurations. From this, they produce, reduce, or modify values within that set, or in the events themselves within a query pipeline.

Functions broadly fall into two categories, Transformation and Aggregate:

  • Transformation functions, sometimes referred to as Filter functions, transform or filter data and may add, remove or modify fields.

  • Aggregate functions combine events into a new results — often a single number or row.

Below is an alphabetical listing of all of Humio query functions.

Function

Description

asn()

Determines autonomous system (AS) number and organization associated with a given IP address.

avg()

Calculates the average for a field over a set of events.

base64decode()

Performs Base64 decoding of a field.

beta:param()

Reads given parameter and assigns the value to a field in the event.

beta:repeating()

Marks the live query the function is used in as repeating.

bucket()

Extends the groupBy function for grouping by time.

callFunction()

Calls the named function on a field over a set of events.

cidr()

Filters events using CIDR subnets.

collect()

Collects fields from multiple events into one event.

concat()

Concatenates the values of a list of fields into a value in a new field.

concatArray()

Concatenates values of all fields with same name and an array suffix into a new field.

copyEvent()

Duplicates event so pipeline will see both events.

count()

Counts events streaming through the function.

counterAsRate()

Calculates the rate for a counter field.

default()

Creates a field to given parameter and given value.

drop()

Removes attributes or columns from a result set.

dropEvent()

Drops completely an event in parser pipeline to stop it from being ingested.

end()

Assigns the current time as milliseconds since 1970 to the end time of query.

eval()

Creates a new field by evaluating the provided expression.

eventFieldCount()

Returns number of fields event uses internally for the values.

eventInternals()

Adds a set of fields describing the storage locations of given event.

eventSize()

Returns byte count event uses internally for the values, not including field names.

fieldset()

Retrieves a list of available fields.

fieldstats()

Retrieves statistics about fields.

findTimestamp()

Finds timestamp in given field and parses, trying multiple timestamp formats.

format()

Formats a string using printf-style.

formatDuration()

Formats a duration into a more readable string.

formatTime()

Formats a string according to strftime, similar to unix strftime.

geohash()

Calculates a geohash value given two fields representing latitude and longitude.

groupBy()

Groups events by specified fields and executes aggregate functions on each group.

hash()

Computes a non-cryptographic hash of a list of fields.

hashMatch()

Calculates a secure hash of a field and uses it to match events as a filter.

hashRewrite()

Calculates a secure hash of a field for storing in the event.

head()

Returns the oldest events.

holtwinters()

Used to generate a trendline for a periodic dataset.

in()

Filters records by values where field is in given values.

ioc:lookup()

Look up IOCs (indicators of compromise).

ipLocation()

Determines country, city, longitude, and latitude for given IP address.

join()

Join two Humio searches.

json:prettyPrint()

Nicer output to a JSON field.

kvParse()

Key-value parse events.

length()

Returns the number of characters in a string field.

linReg()

Computes linear relationship model between two variables using least-squares fitting.

lookup()

Enhances events with metadata.

lower()

Changes text of a given string field to lowercase letters.

lowercase()

use lower() in queries.

match()

Searches text using a CSV or JSON file and can enhance entries.

math:abs()

Calculates the absolute value of a field.

math:arccos()

Calculates the arc cosine of a field.

math:arcsin()

Calculates the arc sine of a field.

math:arctan()

Calculates the arc tangent of a value.

math:ceil()

Rounds field value to smallest integer that’s larger than or equal to it.

math:cos()

Calculates the cosine of a field.

math:cosh()

Returns the hyperbolic cosine of a double field.

math:deg2rad()

Converts angles from degrees to radians.

math:exp()

Calculates Euler’s number e raised to the power of a double value in a field.

math:expm1()

Returns the exponential value of a number minus 1.

math:floor()

Returns largest integer value not greater than the field value given.

math:log()

Calculates the natural logarithm (base e) of the value in a double field.

math:log10()

Calculates the base 10 logarithm of a double field.

math:log1p()

Calculates the natural logarithm of the sum of field’s value and 1.

math:log2()

Calculates the base 2 logarithm of a double field.

math:mod()

Calculates the floor modulus of field value and the divisor.

math:pow()

Calculates the field value to the exponent power.

math:rad2deg()

Converts angles from radians to degrees.

math:sin()

Calculates the sine of a field.

math:sinh()

Calculates the hyperbolic sine of a double field.

math:sqrt()

Calculates the rounded positive square root of a double field.

math:tan()

Calculates the trigonometric tangent of an angle in a field.

math:tanh()

Calculates the hyperbolic tangent of a field.

max()

Finds the largest number for the specified field over a set of events.

min()

Finds the smallest number for the specified field over a set of events.

moment()

Calculates percentiles and returns one event with a field for each percentile given.

now()

Assigns the current time value as milliseconds since 1970.

parseCEF()

Parses CEF version 0.x encoded messages.

parseCsv()

Parses a CSV-encoded field into known columns.

parseFixedWidth()

Parses a fixed width-encoded field into known columns.

parseHexString()

Parses input from hex encoded bytes, decoding resulting bytes as a string.

parseInt()

Converts an integer from any radix or base to base-ten, decimal radix.

parseJson()

Parses specified fields as JSON.

parseLEEF()

Parses LEEF version 1.0 and 2.0 encoded messages.

parseTimestamp()

Parses a string into a timestamp.

parseUrl()

Extracts URL components from a field.

parseXml()

Parses specified field as XML.

percentile()

Returns one event with a field for each percentile specified.

range()

Finds numeric range between smallest and largest numbers for field over a set of events.

rdns()

Events using RDNS lookup.

regex()

Extracts new fields using a regular expression.

rename()

Renames a given field.

replace()

Replaces each substring that matches given regular expression with given replacement.

round()

Rounds an input field up or down, depending on which is nearest.

sample()

Samples the event stream.

sankey()

Produces data compatible with Sankey widget.

select()

Used to specify a set of fields to select from each event.

selectLast()

Specify fields to select from events, keeping value of most recent event for each field.

selfJoin()

Used to collate data from events that share a key.

selfJoinFilter()

Runs query to determine IDs, and then gets all events containing one of them.

series()

Collects a series of values for selected fields from multiple events into one or more events.

session()

Collects events into sessions, and aggregates them.

shannonEntropy()

Calculates a entropy measure from a string of characters.

sort()

Sorts events by their fields.

split()

Splits an event structure created by json array into distinct events.

splitString()

Splits a string by specifying a regular expression by which to split.

start()

Assigns the current time as milliseconds since 1970.

stats()

Used to compute multiple aggregate functions over the input.

stdDev()

Calculates the standard deviation for a field over a set of events.

stripAnsiCodes()

Removes ANSI color codes and movement commands.

subnet()

Computes a subnet from a IPV4 field.

sum()

Calculates the sum for a field over a set of events.

table()

Used to create a widget to present the data in a table.

tail()

Returns the newest events.

test()

Evaluates boolean expression and filter events for which expression is true.

time:dayOfMonth()

Gets the day of the month of a timestamp field.

time:dayOfWeek()

Gets day of the week from 1 (Monday) to 7 (Sunday) of a timestamp field.

time:dayOfWeekName()

Gets the English display name of day of the week of a timestamp field.

time:dayOfYear()

Gets the day of the year of a timestamp field, from 1 to 365, or 366 in a leap year.

time:hour()

Gets the hour (24-hour clock) of a timestamp field.

time:millisecond()

Gets the millisecond of a timestamp field.

time:minute()

Gets the minute value of a timestamp field.

time:month()

Gets the month of a timestamp field. (from 1 to 12)

time:monthName()

Gets the English name of month of a timestamp field (e.g., January).

time:second()

Gets the second of a timestamp field.

time:weekOfYear()

Gets the week number within a year of a timestamp, a value from 1 to 53.

time:year()

Gets the year of a timestamp field.

timeChart()

Used to draw a linechart where the x-axis is time.

tokenHash()

Calculates a structure hash which is equal for similarly structured input.

top()

Finds the most common values of a field.

transpose()

Transposes a query results set by creating an event for each attribute.

unit:convert()

Converts values between different units.

upper()

Changes contents of a string field to upper-case letters.

urlDecode()

URL-decodes the contents of a string field.

urlEncode()

URL-encodes the contents of a string field.

window()

Computes aggregate functions over a sliding window of data.

worldMap()

Used to produce data compatible with the World Map widget.

writeJson()

Writes fields as JSON.

xml:prettyPrint()

Nicer output to an XML field.