Operators

Comparison Operators on Numbers

Query Description
statuscode < 400 Less than
statuscode <= 400 Less than or equal to
statuscode = 400 Equal to
statuscode != 400 Not equal to
statuscode >= 400 Greater than or equal to
statuscode > 400 Greater than
400 = statuscode (!) The field ‘400’ is equal to statuscode.
400 > statuscode This comparison generates an error.
You can only perform a comparison between numbers.
In this example, statuscode is not a number, and 400 is the name of an field.

The left-hand-side of the operator is interpreted as a field name. If you write 200 = statuscode, Humio tries to find a field named 200 and test if its value is "statuscode".

If the specified field is not present in an event, then the comparison always fails — unless it is !=. You can use this behavior to match events that do not have a given field, using either not (foo = *) or the equivalent foo != * to find events that do not have the field foo.

Tag Filters

Tag filters are a special kind of field filter. They behave in the same way as regular filters.

In queries, the tag filters are usually separated from the rest of the query by a pipe character | (see Query Structure). We recommend that you include the pipe character before tag filters in your queries to improve the readability of your queries.

However, these pipe characters are not mandatory. The Humio query engine can recognize tag filters, and use this information to narrow down the number of datasources to search. This feature decreases query time.

See the tags documentation for more on tags.

Logical Operators: and, or, not, and !

You can combine filters using the and, or, not Boolean operators, and group them with parentheses. ! can also be used as an alternative to unary not.

Examples

Query Description
foo and user=bar Match events with foo in any field and a user field matching bar.
foo bar Since the and operator is implicit, you do not need to include it in this simple type of query.
statuscode=404 and (method=GET or method=POST) Match events with 404 in their statuscode field, and either GET or POST in their method field.
foo not bar This query is equivalent to the query foo and (not bar).
!bar This query is equivalent to the query not bar.
not foo bar This query is equivalent to the query (not foo) and bar. This is because the not operator has a higher priority than and and or.
foo and not bar or baz This query is equivalent to the query foo and ((not bar) or baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.
foo or not bar and baz This query is equivalent to the query foo or ((not bar) and baz). This is because Humio has a defined order of precedence for operators. It evaluates operators from the left to the right.
foo not statuscode=200 This query is equivalent to the query foo and statuscode!=200.

Negating the Result of Filter Functions

The not and ! operators can also be used to negate filter function expressions, which is syntactically more clean than passing in an explicit negate=true argument. Examples of this are

... | !cidr(ip, subnet="127.0.0/16") | ...
... | !in(field, values=[a, b, c]) | ...
... | !regex("xxx") | ...