Search Overview

The Search field in Humio is a powerful tool to help you sift through your data and view only the desired information. Searches can range from quite simple to very complex. You can think of search terms as filters applied to the displayed data set. Each filter reduces the data set, making the results an ever smaller pool of information.

This data set has a search term of example.com applied. Note the number of results.

When we apply the second search term to only display results for user orwell, the results are further filtered. Again, note that the number of results, which has decreased.

You can also use multiple lines to apply filters, which makes the filter applied easier to visualize. To add a filter to a second line, after entering one filter, press <ctrl>+<Enter>. Start the next line with a pipe |.

Functions transform or mutate the data. Some examples of functions are: concat, select, eval, replace, :=, and field extractions.

Aggregates combine events into a new results – often a single number or row. For example, count returns one event with one field count. Examples of aggregates are: ‘count()’, ‘groupby’, ‘timechart’.

When we apply the second search term to only display results for user orwell, the results are further filtered. Again, note that the number of results has decreased.

Functions and aggregates are very expensive in terms of CPU and memory usage. Therefore, the smaller the data set is before applying a function or aggregate, the faster your results will be returned. When building a complex search, be sure to filter your data set as much as possible before applying a function or aggregate. The order should be first filters, then functions, and finally aggregates for the best performance.