Skip to main content

Splunk federated search reference

AI summary
Lists SPL commands compatible with federated search in Imply Lumi. Details supported syntax, operators, and functions.

About AI summaries.

Once you set up federated search, you can search Imply Lumi events using a federated provider in Splunk®. With federated search, you use Splunk Search Processing Language (SPL) to query Lumi events.

This reference lists the SPL commands, syntax, and functions supported by Lumi for federated searches. For example queries using SPL commands that are fully supported in Lumi, see Federated search examples.

note

Federated search queries event data only, not system attributes.

Search modes

Lumi supports all Splunk search modes for federated search. See the Splunk documentation on search modes for details.

Compatible SPL commands

The following table describes compatibility of federated search commands with Lumi. Cases when Splunk executes a command at the search head are noted.

CommandLumi support
searchFully supported
accumExecuted on the Splunk search head
addcoltotalsExecuted on the Splunk search head
addtotalsExecuted on the Splunk search head
anomaliesExecuted on the Splunk search head
anomalousvalueExecuted on the Splunk search head
anomalydetectionExecuted on the Splunk search head
appendExecuted on the Splunk search head
appendcolsExecuted on the Splunk search head
applyExecuted on the Splunk search head—requires the Splunk AI toolkit and Python for Scientific Computing Splunk add-ons
autoregressExecuted on the Splunk search head
binaligntime option not supported; log span (like span=2log10) not supported
bucketSynonym for bin; aligntime option not supported; log span (like span=2log10) not supported
bucketdirExecuted on the Splunk search head
chartSee supported functions below
clusterExecuted on the Splunk search head
cofilter Executed on the Splunk search head
collectExecuted on the Splunk search head
concurrencyExecuted on the Splunk search head
contingencyExecuted on the Splunk search head
convertFully supported
correlateExecuted on the Splunk search head
ctableExecuted on the Splunk search head
dbinspectExecuted on the Splunk search head
dedupExecuted on the Splunk search head
deltaExecuted on the Splunk search head
diffExecuted on the Splunk search head
evalSee supported functions below
eventcountExecuted on the Splunk search head
eventstatsSee supported functions below
fieldformatExecuted on the Splunk search head
fieldsFully supported
fieldsummaryExecuted on the Splunk search head
filldownExecuted on the Splunk search head
fillnullFully supported
findtypesExecuted on the Splunk search head
fitExecuted on the Splunk search head—requires the Splunk AI toolkit and Python for Scientific Computing Splunk add-ons
folderize Executed on the Splunk search head
formatExecuted on the Splunk search head
gentimesExecuted on the Splunk search head
gaugeExecuted on the Splunk search head
headeval-expression not supported
highlightExecuted on the Splunk search head
historyExecuted on the Splunk search head
inputcsvExecuted on the Splunk search head
inputlookupExecuted on the Splunk search head
iplocation1Fully supported
joinExecuted on the Splunk search head
kmeansExecuted on the Splunk search head
loadjobExecuted on the Splunk search head
localopExecuted on the Splunk search head
makecontinuousExecuted on the Splunk search head
makeresultsExecuted on the Splunk search head
mapExecuted on the Splunk search head
metadataExecuted on the Splunk search head
mvcombineExecuted on the Splunk search head
mvexpandFully supported
outlierExecuted on the Splunk search head
outputlookupExecuted on the Splunk search head
outputtextExecuted on the Splunk search head
overlapExecuted on the Splunk search head
predictExecuted on the Splunk search head
rareFully supported
regexFully supported
renameWildcard-based renaming of similar fields not supported
replaceFully supported
restExecuted on the Splunk search head
returnExecuted on the Splunk search head
reverseExecuted on the Splunk search head
rexoffset_field and non-default max_match not supported
rtorder Executed on the Splunk search head
scrubExecuted on the Splunk search head
searchtxnExecuted on the Splunk search head
selfjoinExecuted on the Splunk search head
sendalertExecuted on the Splunk search head
sendemailExecuted on the Splunk search head
setExecuted on the Splunk search head
setfieldsFully supported
sirareFully supported
sistatsExecuted on the Splunk search head
sitopFully supported
sortOptimized for Lumi query processing. Sorting on calculated fields not supported
spathUsing without output argument not supported
statsdelim is the only supported optional argument; see supported functions below
strcatExecuted on the Splunk search head
streamstatsSee supported functions below
tableFully supported
tailFully supported
timechartSee supported functions below
timewrapExecuted on the Splunk search head
topFully supported
transactionExecuted on the Splunk search head
transposeExecuted on the Splunk search head
trendlineExecuted on the Splunk search head
trequireExecuted on the Splunk search head
tstatsOptional arguments not supported; see supported functions below
typeaheadExecuted on the Splunk search head
untableExecuted on the Splunk search head
whereSee supported functions below
x11Executed on the Splunk search head
xyseriesExecuted on the Splunk search head

Supported syntax

Use the following operators for comparisons and boolean logic in federated searches and where expressions.
Functions such as like and match provide additional pattern-matching options.

Operator/SyntaxDescriptionExample
=Equal tostatus=200
!=Not equal tostatus!=200
>Greater thancount>400
>=Greater than or equal tototal_events>=5000
<Less thanhost_event_count<100
<=Less than or equal topercent<=50
""Exact phrase#processor="ec 20250806.1487.0"
*Wildcard matchinguri=*policy*
ANDMatch both conditionsmethod=GET AND status=404
ORMatch either or both conditionsstatus=500 OR level=error
NOTExclude results matching conditionNOT uri="/orders*"
INMatch any value from a list (in where or eval)where method IN (GET,POST)
NOT INExclude listed values (in where or eval)where NOT (user IN ("trixie9292","gusosborne"))
XORTrue when exactly one input is truewhere method=PUT XOR status=400
CASECase-sensitive matchCASE(Intel)

If a search term includes a space, enclose it in double quotes (").

Wildcard matching

Use * (asterisk) as a wildcard to match any characters within quoted search phrases.
Examples:

  • uri_path=/admin*
  • user=CASE(*admin*)
  • useragent=*bot*
  • clientip=192.168.*
  • useragent=*"Intel Mac"*
  • method="POST" AND uri=*/login*

You can’t search for the asterisk character itself, as it’s reserved for wildcards.
See Splunk wildcard documentation for details.

Wildcard expansion limits

When using wildcards to expand fields (for example, in stats commands), Lumi limits expansion to 10 fields by default to protect system performance. If your queries require more than 10 expanded fields, contact Imply support with your IAM key details to increase the limit.

Query by event indexing timestamp

You can add a Lumi pipeline to capture the ingestion timestamp for each event. For details, see Event indexing time.

Once your events have the indexing timestamp attribute, you can use the _index_earliest and _index_latest modifiers in queries.

For example, the following query searches all events in the federated Lumi main table between January 1-31, 2026:

index="federated:lumi_main" _index_earliest="01/01/2026:08:30:00" _index_latest="01/31/2026:20:00:00"

See the Splunk docs on Time modifiers for more information.

Evaluation operators

Evaluation expressions use functions and operators to calculate and compare values.
Lumi supports these operators:

  • Mathematical: +, -, *, /, %
  • Comparison: =, ==, !=, >, >=, <, <= (= and == are equivalent)
  • Unary minus: -
  • String concatenation: . (for example, first_name . " " . last_name)

Supported evaluation functions

Lumi supports the following evaluation functions:

Function typeSupported functions
Bitwisebit_and, bit_or, bit_not, bit_xor, bit_shift_left, bit_shift_right
Comparison and conditionalcase, cidrmatch, coalesce, false, if, like, match, null, nullif, searchmatch, true, validate
Cryptographicmd5, sha1, sha256, sha512
Date and timenow, relative_time, strftime, strptime, time
Informationalisbool, isdouble, isint, isnotnull, isnull, isnum, isstr
Mathematicalabs, ceiling / ceil, exact, exp, floor, ln, log, pi, pow, round, sigfig, sqrt, sum
Multivalue evaluationcommands, mvappend, mvcount, mvdedup, mvfilter, mvfind, mvindex, mvjoin, mvmap, mvrange, mvreverse, mvsort, mvzip, mv_to_json_array, split
Textlen, lower, ltrim, replace, rtrim, spath, substr, trim, upper, urldecode
Trigonometric and hyperbolicacos, acosh, asin, asinh, atan, atan2, atanh, cos, cosh, hypot, sin, sinh, tan, tanh

Lumi supports Java regular expressions, not Perl-style regex.

Supported statistical and charting functions

Lumi supports the following statistical and charting functions:

Function typeSupported functions
Aggregate functionsavg, c, count, dc, distinct_count, estdc, estc_error, exactperc, max, mean, median, min, mode, perc, range, stdev, stdevp, sum, sumsq, upperperc, var, varp
Event order functionsfirst, last
Multivalue stats and chart functionslist, values
Stats sparkline functionsSee Sparkline function options
Time functionsearliest, earliest_time, latest, latest_time, rate

Learn more

See the following topics for more information:

Footnotes

  1. Lumi derives the location of IPs based on data from the IP to City Lite database by DB-IP. This database is licensed under a Creative Commons CC BY 4.0.