Queries

A Humio query is much like a query to an SQL database. You write search terms to include or exclude values from a repository or view. Unlike most queries SQL, in Humio, you also do calculations and transform the data as part of the query.

To learn Humio’s query language head over to the language syntax documentation page.

Some filter, some transform and augment, others aggregate data into result sets like tables or bucketed time series.

Transformation Queries

Transformation expressions (also called Filter expressions) filter input or adds/removes/modifies fields on each event. These include filter expressions like:

name = "Peter" and age > 25
color := "blue"

A subset of the available query functions are known as Transformation Functions, e.g. regex , in or eval . Just like the examples above they only adds/removes/modifies fields and never produce new (additional) events as output.

If a query consists solely of transformation expressions it is known as filter query or transformation query. This kind of query are required e.g. when connecting views with repositories.

Aggregation Queries

Aggregation expressions are always function calls. These functions can combine their input into a new structures or emit new events into the output stream.

A query becomes an aggregation query if it uses at least one aggregate function like sum , count or avg .

For example, the query count() takes a stream of events as its input, and produces a single record containing a _count field.

Examples

loglevel = ERROR | timechart()
x := y * 2 | bucket(function=sum(x))