Parser API

Data sent to Humio usually has some structure. You can use parsers to extract this structure. For example, a standard web server log has the status code, method, and URL fields for each log line.

When sending data to Humio, for example using Filebeat, you must specify a parser telling Humio how to parse the incoming data.

Humio has some built-in parsers for common formats like access logs from Apache and Nginx web servers. It also allows for custom parsers.

List Parsers

Request

To list all parsers for a given repository:

GET     /api/v1/dataspaces/$REPOSITORY_NAME/parsers

Response

[
  {
    "builtIn": true,
    "parseKeyValues": false,
    "parser": "(?<client>\\S+)\\s+-\\s+(?<userid>\\S+)\\s+\\[(?<@timestamp>.*)\\]\\s+\"((?<method>\\S+)\\s+(?<url>\\S+)?\\s+(?<httpversion>\\S+)?|-)\"\\s+(?<statuscode>\\d+)\\s+(?<responsesize>\\S+)\\s+\"(?<referrer>.*)\"\\s+\"(?<useragent>.*)\"\\s*(?<responsetime>.+)?",
    "id": "accesslog",
    "dateTimeFields": [
      "@timestamp"
    ],
    "kind": "regex",
    "dateTimeFormat": "dd/MMM/yyyy:HH:mm:ss Z"
  },
  {
    "id": "json",
    "kind": "json",
    "parseKeyValues": false,
    "dateTimeFields": [
      "@timestamp"
    ]
  }
]

The output format is similar to the input format in Add Parser.

Example

curl https://cloud.humio.com/api/v1/dataspaces/$REPOSITORY_NAME/parsers \
 -H "Authorization: Bearer $API_TOKEN"

Create or Update Parser

Request

To create a parser for a given repository:

POST     /api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_ID

or to updated an existing parser use

PUT     /api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_ID

The JSON request body has the following attributes:

Name Type Required Description
kind String Yes Controls which parser kind to create. You can set this to regex, or json.
parser String Yes The parser specification.

The contents of this field vary depending on the type of parser you are creating. See the details below
parseKeyValues Boolean No Sets whether you want the parser to parse ‘key=value’ pairs in the log line.

The default value is false.
dateTimeFields Array Yes Specifies the fields which contain the timestamp of the event.

You can specify multiple fields, for example, a date field and a time field. The values of these fields are concatenated with whitespaces.

Humio parses these fields with the format that you specify in the dateTimeFormat attribute.
dateTimeFormat String No The format string that Humio should use to parse the fields identified by the dateTimeFields attribute.

This attribute uses the Java DateTimeFormatter syntax.

The default value is the ISO-8601 format, for example, yyyy-MM-dd'T'HH:mm:ss.SSSZ, with milliseconds as an optional addition.
timezone String No This field is only used if the timestamp of the event is in localtime and does not have a timezone.

In that case, you can use it to set a timezone.

Do not use this field if the timezone is part of the dateTimeFormat.

Examples: UTC, Z, or Europe/Copenhagen.
tagFields Array No Specify fields in events generated by this parser that should be turned into tags.
For example it could be specified that the host field in the events from this parser should be treated as a tag.

Response

Standard HTTP response codes.

Example

curl https://cloud.humio.com/api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_NAME \
 -XPUT \
 -H "Authorization: Bearer $API_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"parser": "^(?<date>\\S*) (?<time>\\S*) (?<host>\\S*) (?<appname>\\S*):",
      "kind": "regex",
      "parseKeyValues": true,
      "dateTimeFormat": "yyyy-MM-dd HH:mm:ss.SSS",
      "dateTimeFields": ["date", "time"],
      "timezone": "UTC",
      "tagFields": ["host"]
     }'

Parser Types

Humio currently supports two types of parsers:

JSON Parsers

When using the “json” parser type, Humio expects data to be in the JSON format.

The only required field is dateTimeFields. This designates which field has the timestamp.

Example

curl https://cloud.humio.com/api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_NAME \
 -XPUT \
 -H "Authorization: Bearer $API_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"kind": "json", "dateTimeFields": ["@timestamp"] }'

RegExp Parsers

The “regex” parser type allows you to specify parsers using regular expressions, where named capture groups specify fields.

Example

This example shows how to parse Nginx access logs with regular expressions.
Note the use of \\ to escape backslashes:

(?<client>\\S+)\\s+-\\s+(?<userid>\\S+)\\s+\\[(?<@timestamp>.*)\\]\\s+\"((?<method>\\S+)\\s+(?<url>\\S+)?\\s+(?<httpversion>\\S+)?|-)\"\\s+(?<statuscode>\\d+)\\s+(?<responsesize>\\S+)\\s+\"(?<referrer>.*)\"\\s+\"(?<useragent>.*)\"\\s*(?<responsetime>.+)?

Delete Parser

Request

To delete a parser from a given repository, make the following request:

DELETE     /api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_NAME

Response

Standard HTTP response codes.

Example

curl https://cloud.humio.com/api/v1/dataspaces/$REPOSITORY_NAME/parsers/$PARSER_NAME \
 -XDELETE \
 -H "Authorization: Bearer $API_TOKEN"