Event model
AI summary
About AI summaries.
Imply Lumi is an observability platform to store and query event data, such as log messages, HTTP request data, and system errors.
Before an event arrives in Lumi, forwarding agents or other data processing mechanisms typically transform the data from its raw state. For example, a forwarder may add metadata to the event or extract field values like the timestamp. Before storing an event, Lumi also performs similar event data processing tasks. See Send events to Lumi and Event lifecycle for details.
This topic describes event data as stored in Lumi after all data processing is complete.
Event components
Each event consists of a timestamp, a message, user attributes, and system attributes.
The event timestamp records the exact time an event occurred. For example: Mar 21, 11:54:53.120 AM.
The message consists of the event text. For example, the text of the following HTTP server access log:
11.44.142.49 - - [25/Mar/2025:19:23:38 -0500] "GET /logout HTTP/1.1" 200 2326 "https://www.forbes.com/" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"
User attributes
User attributes provide context to an event, such as its source and source type. User attributes can also come from information Lumi parses from raw events or adds with pipelines. You can view and search user attributes in Lumi and other integrated systems.
You can define user attribute values at various stages in the event lifecycle. Lumi prioritizes the assignment of user attributes in the following order of precedence:
- You create a pipeline to add, process, or remove attributes.
- You send raw events with metadata or configure a forwarding agent, such as an OTel collector, to add the attributes.
- You assign attribute default values from an integration, when available. This includes IAM key attributes and fields in CSV file upload.
The index is a special user attribute that's used for Splunk® federated search.
For more details on assigning index, see Index user attribute.
System attributes
Lumi defines and sets the semantics of system attributes. System attributes apply universally across all events and can only be accessed within Lumi. Usually, Lumi extracts system attributes from a system component such as the event collector, a receiver, or an IAM key.
System attributes contain the global attributes env and team, which you can specify when configuring an IAM key.
Global attributes are associated with the IAM key used to report the event.
You can set global attributes to any string value that is fewer than 32 characters.
The following table lists the system attributes that Lumi may assign to an event:
| Attribute | Type | Description | Nullable | Example |
|---|---|---|---|---|
collector | string | Version of the Lumi event collector that accepted the event. Used for troubleshooting. | No | ec 20250504.1234.0 |
env | string | Environment associated with the event. Defaults to Unknown. | Yes | staging |
eventId | string | Unique identifier for the event. | No | a_bcNdW7-0000-10111 |
file | string | Name of the file from which the event was ingested, if applicable. | Yes | site_visitors_quickstart.csv |
iamKeyId | string | IAM key or user ID used to ingest the event. | No | 9da461cb-xxxx-xxxx-xxxx-158eb31bf048 |
processor | string | Version of the Lumi event collector that processed the event. Used for troubleshooting. | No | ec 20250504.1234.0 |
receiver | string | Type of receiver that collected the event. | No | splunk.s2s |
status | enum | Status or severity of the event, as detected or set at ingestion time. Lumi evaluates incoming events for specific attributes, including status, severity, level, syslog.severity, and response. If detected, Lumi maps the value to an event status using HTTP status code categories and syslog severity levels. Supported enum values: debug, info, notice, warning, error, critical, alert, emergency, ok. | Yes | info |
team | string | Team associated with the event. Defaults to Unassigned. | Yes | backend |
Filter by attributes
You can use system and user attributes to filter search results or view resource usage. For details about searching events, see Search events with Lumi.
Search system attributes
To filter events by a system attribute, add a search condition and preface the attribute name with #.
You can include multiple system attributes in the search.
For example, search for all events whose status is info:
#status=info
Search user attributes
To filter events by a user attribute, add a search condition with the attribute name.
For example, search for events where the index is main and the source type is not otel:
index=main sourcetype!=otel
A user attribute can have a null value.
When searching for events using federated search, you can use the fillnull command to replace null or missing attribute values with a default value.
For an example, see Federated search examples.
View resource usage
You can view resource usage grouped by the environment, team, or index attributes. View the resource usage for these attributes in the Usage sub-page of the Billing section. For more information, see Monitor billing and usage.
Learn more
See the following topics for more information:
- IAM key attributes for reference on IAM key attributes.
- Send events to Lumi for information on the methods you can use to send events to Lumi.
- Search events with Lumi for search methods and syntax.