Search events with Splunk

AI summary

Explains how to query Imply Lumi events using SPL by integrating with Splunk®. Introduces standard and transparent federated modes for analyzing Lumi events alongside your existing Splunk data.

About AI summaries.

Imply Lumi integrates with Splunk® to let you query Lumi events using Splunk Search Processing Language (SPL). You can analyze Lumi events alongside your Splunk data without duplicating data or changing your existing workflows.

You can use standard and transparent federated modes:

• Standard mode: Requires the federated: prefix to query Lumi indexes. Does not support data models. See Set up standard federated search.
• Transparent mode: Queries Lumi without the federated: prefix. Required for data model queries, but can also be used without this feature. Sends all queries to Lumi. See Set up transparent federated search and Query events with data models.

Both modes let you control which Lumi indexes are available for queries using the allowed indexes feature on the IAM key.

Choose the mode that best fits your workflow and follow the setup guide for your selected mode.

note

Don't configure both standard and transparent federated providers that point to the same Lumi endpoint, because it can cause inconsistent results. See Multiple federated provider modes for details.

Once you've configured federated search, refer to the Federated search reference for a complete list of supported SPL commands, syntax, and functions. See Federated search examples for sample queries with example output.

To track and optimize your federated queries, see Monitor search performance for guidance on using the Splunk job inspector to examine search execution.