Search events with Splunk
AI summary
Federated search allows you to query data across Splunk® and Imply Lumi simultaneously. Learn how to set up federated search, understand supported query syntax, view examples, and monitor performance.
About AI summaries.
About AI summaries.
Imply Lumi integrates with Splunk® to let you query Lumi events using Splunk Search Processing Language (SPL). You can analyze Lumi events alongside your Splunk data without duplicating data or changing your existing workflows.
You can use standard and transparent federated modes:
- Standard mode: Requires the
federated:prefix to query Lumi indexes. Use this mode when you want explicit control over which federated indexes are queried. See Set up standard federated search. - Transparent mode: Queries Lumi without the
federated:prefix. Required for data model queries. See Set up transparent federated search and Query events with data models.
Choose the mode that best fits your workflow and follow the setup guide for your selected mode.
Once you've configured federated search, refer to the Federated search reference for a complete list of supported SPL commands, syntax, and functions. See Federated search examples for sample queries with example output.
To track and optimize your federated queries, see Monitor search performance for guidance on using the Splunk job inspector to examine search execution.