Query Filters

The most basic query in Humio is to search for a particular string in any field of events. All fields (except for the special @id, @timestamp, @ingesttimestamp fields and the tag fields) are searched, including @rawstring. See the events documentation for more details on @rawstring.

Free-Text Filters (grepping)

Grepping runs on the fields in the event that are present at the start of the pipeline when performing a search. It does not take into account any fields added or removed within the pipeline.

When grepping is applied in a parser this differs: The event is processed as it is present at the point where the grepping happens. Humio recommends using Field filters whenever possible within a parser to avoid ambiguous matches.

Note: Humio versions before 1.13 searched only the @rawstring field when grepping.

Grepping does not specify the order in which fields are searched. When not extracting fields, the order in which fields are checked is not relevant as any match will let the event “pass” the filter.

But when extracting fields using a regular expression, matches canyield non-deterministic extracted fields. To make extracted fields bethe same if a match was also possible in the older versions, Humioprefers a match on @rawstring before trying other fields whenextracting fields.

You can perform more complex regular expression searches on all fields of an event by using the regex( ) function or the // regex syntax.

Examples

Query Description
foo Find all events matching “foo” in any field of the events.
“foo bar” Use quotes if the search string contains white spaces or special characters, or is a keyword.
“msg: "welcome"” You can include quotes in the search string by escaping them with backslashes.

You can also use a regular expression on all fields. To do this, write the regex.

Query Description
/foo/ Find all events matching “foo” in any field of the events.
/foo/i Find all events matching “foo” ignoring case.

Field Filters

Besides the free-text filters, you can also query specific event fields, both as text and as numbers.

Text fields

Query Description
url = login The url field contains login. You can use * as a wild card.
user = *Turing The user field ends with Turing.
user = “Alan Turing” The user field equals Alan Turing.
user != “Alan Turing” The user field does not equal Alan Turing.
url != login The url field does not contain login.
user = * Match events that have the field user.
user != * Match events that do not have the field user.
name = "” Match events that have a field called name but with the empty string as value.
user="Alan Turing” You do not need to put spaces around operators (for example, = or !=).

Regex Filters

In addition to globbing (* appearing in match strings) you can match fields using regular expressions.

Query Description
url = /login/ The url field contains login.
user = /Turing$/ The user field ends with Turing.
loglevel = /error/i The loglevel field matches error case insensitively; for example, it could be Error, ERROR or error.
/user with id (?<id>\S+) logged in/ top(id)