|statuscode < 400||Less than|
|statuscode <= 400||Less than or equal to|
|statuscode = 400||Equal to|
|statuscode != 400||Not equal to|
|statuscode >= 400||Greater than or equal to|
|statuscode > 400||Greater than|
|400 = statuscode||(!) The field ‘400’ is equal to
|400 > statuscode||This comparison generates an error.
You can only perform a comparison between numbers.
In this example,
The left-hand-side of the operator is interpreted as a field name. If you write
200 = statuscode, Humio tries to find a field named
200 and test if its value is
If the specified field is not present in an event, then the comparison always fails — unless it is
!=. You can use this behavior to match events that do not have a given field, using either
not (foo = *) or the equivalent
foo != * to find events that do not have the field
Tag filters are a special kind of field filter. They behave in the same way as regular filters.
In queries, the tag filters are usually separated from the rest of the query by a pipe character
| (see Query Structure). We recommend that you include the pipe character before tag filters in your queries to improve the readability of your queries.
However, these pipe characters are not mandatory. The Humio query engine can recognize tag filters, and use this information to narrow down the number of datasources to search. This feature decreases query time.
See the tags documentation for more on tags.
You can combine filters using the
not Boolean operators, and group them with parentheses.
! can also be used as an alternative to unary
|foo and user=bar||Match events with
|foo bar||Since the
|statuscode=404 and (method=GET or method=POST)||Match events with
|foo not bar||This query is equivalent to the query foo and (not bar).|
|!bar||This query is equivalent to the query not bar.|
|not foo bar||This query is equivalent to the query (not foo) and bar. This is because the
|foo and not bar or baz||This query is equivalent to the query foo and ((not bar) or baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.|
|foo or not bar and baz||This query is equivalent to the query foo or ((not bar) and baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.|
|foo not statuscode=200||This query is equivalent to the query foo and statuscode!=200.|
! operators can also be used to negate filter function expressions, which is syntactically more clean than passing in an explicit
negate=true argument. Examples of this are
... | !cidr(ip, subnet="127.0.0/16") | ... ... | !in(field, values=[a, b, c]) | ... ... | !regex("xxx") | ...