The Search field in Humio is a powerful tool to help you sift through your data and view only the desired information. Searches can range from quite simple to very complex. Another way to view search terms are like filters applied to a displayed data set, with each filter reducing the data set, making the results an ever smaller pool of information.
For example, in the screenshot shown in Figure 1 here, the data set has a search term of
example.com entered in the query input box. Notice there are still plenty of events in the main panel on the right, in the results.
Taking this example a little further, when we add a second search term to display only results for user
orwell, the results are further filtered (see Figure 2). The number of results will still be plenty, but will have decreased.
To make the filter applied easier to visualize, you can use multiple lines in the query input box. To do this, to add a filter to a second line, after entering one filter, press
<ctrl>+<Enter>. Just be sure to start the next line with a pipe (i.e.,
Humio has many query functions for transforming or modifying the data in the results set. For instance, there are functions like
:=, and field extractions.
Aggregates combine events into a new results — often a single number or row. For example, count returns one event with one field
count. Examples of aggregates are
Functions and aggregates are very expensive in terms of CPU and memory usage. Therefore, the smaller the data set is before applying a function or aggregate, the faster your results will be returned. When building a complex search, be sure to filter your data set as much as possible before applying a function or aggregate. The order should be first filters, then functions, and finally aggregates for the best performance.
You can recall recently run queries or saved queres from the Queries pull-down menu (see Figure 4).