The most basic query in Humio is to search for a particular string in any field of events. All fields (except for the special
@ingesttimestamp fields and the tag fields) are searched, including
@rawstring. See the events documentation for more details on
Grepping runs on the fields in the event that are present at the start of the pipeline when performing a search. It does not take into account any fields added or removed within the pipeline.
When grepping is applied in a parser this differs: The event is processed as it is present at the point where the grepping happens. Humio recommends using Field filters whenever possible within a parser to avoid ambiguous matches.
Note: Humio versions before 1.13 searched only the
@rawstring field when grepping.
Grepping does not specify the order in which fields are searched. When not extracting fields, the order in which fields are checked is not relevant as any match will let the event “pass” the filter.
But when extracting fields using a regular expression, matches canyield non-deterministic extracted fields. To make extracted fields bethe same if a match was also possible in the older versions, Humioprefers a match on
@rawstring before trying other fields whenextracting fields.
You can perform more complex regular expression searches on all fields of an event by using the regex( ) function or the
// regex syntax.
|foo||Find all events matching “foo” in any field of the events.|
|“foo bar”||Use quotes if the search string contains white spaces or special characters, or is a keyword.|
|“msg: "welcome"”||You can include quotes in the search string by escaping them with backslashes.|
You can also use a regular expression on all fields. To do this, write the regex.
|/foo/||Find all events matching “foo” in any field of the events.|
|/foo/i||Find all events matching “foo” ignoring case.|
Besides the free-text filters, you can also query specific event fields, both as text and as numbers.
|url = login||The
|user = *Turing||The
|user = “Alan Turing”||The
|user != “Alan Turing”||The
|url != login||The
|user = *||Match events that have the field
|user != *||Match events that do not have the field
|name = "”||Match events that have a field called
|user="Alan Turing”||You do not need to put spaces around operators (for example,
In addition to globbing (
* appearing in match strings) you can match fields using regular expressions.
|url = /login/||The
|user = /Turing$/||The
|loglevel = /error/i||The
|/user with id (?<id>\S+) logged in/||top(id)|