A Humio query is much like a query to an SQL database. You write search terms to include or exclude values from a repository or view. Unlike most queries SQL, in Humio, you also do calculations and transform the data as part of the query.
To learn Humio’s query language head over to the language syntax documentation page.
Some filter, some transform and augment, others aggregate data into result sets like tables or bucketed time series.
Transformation expressions (also called Filter expressions) filter input or adds/removes/modifies fields on each event. These include filter expressions like:
name = "Peter" and age > 25
color := "blue"
A subset of the available query functions are known as Transformation Functions, for example
. Just like the examples above they only adds/removes/modifies fields and never produce new (additional) events as output.
If a query consists solely of transformation expressions it is known as filter query or transformation query. This kind of query are required when connecting views with repositories.
Aggregation expressions are always function calls. These functions can combine their input into a new structures or emit new events into the output stream.
For example, the query
takes a stream of events as its input, and produces a single record containing a
loglevel = ERROR | timechart()
x := y * 2 | bucket(function=sum(x))