Skip to main content

Splunk federated search reference

Once you set up federated search, you can search an index in Imply Lumi using a federated index in Splunk®. With federated search, you use Splunk Search Processing Language (SPL) to query Lumi events.

This reference lists the SPL commands, syntax, and functions supported by Lumi for federated searches.

note

Federated search queries event data only, not system attributes.

Search modes

Lumi supports all Splunk search modes for federated search. See the Splunk documentation on search modes for details.

Compatible SPL commands

The following table describes compatibility of federated search commands with Lumi. Cases when Splunk executes a command at the search head are noted.

CommandLumi support
searchFully supported
accumExecuted on the Splunk search head
addcoltotalsExecuted on the Splunk search head
addtotalsExecuted on the Splunk search head
anomaliesExecuted on the Splunk search head
anomalousvalueExecuted on the Splunk search head
anomalydetectionExecuted on the Splunk search head
appendExecuted on the Splunk search head
appendcolsExecuted on the Splunk search head
autoregressExecuted on the Splunk search head
binaligntime option not supported; log span (like span=2log10) not supported
bucketSynonym for bin; aligntime option not supported; log span (like span=2log10) not supported
bucketdirExecuted on the Splunk search head
chartSee supported functions below
clusterExecuted on the Splunk search head
cofilter Executed on the Splunk search head
collectExecuted on the Splunk search head
concurrencyExecuted on the Splunk search head
contingencyExecuted on the Splunk search head
correlateExecuted on the Splunk search head
ctableExecuted on the Splunk search head
dbinspectExecuted on the Splunk search head
dedupExecuted on the Splunk search head
deltaExecuted on the Splunk search head
diffExecuted on the Splunk search head
evalSee supported functions below
eventcountExecuted on the Splunk search head
eventstatsSee supported functions below
fieldformatExecuted on the Splunk search head
fieldsFully supported
fieldsummaryExecuted on the Splunk search head
filldownExecuted on the Splunk search head
fillnullOptional arguments not supported
findtypesExecuted on the Splunk search head
folderize Executed on the Splunk search head
formatExecuted on the Splunk search head
gentimesExecuted on the Splunk search head
gaugeExecuted on the Splunk search head
headeval-expression not supported
highlightExecuted on the Splunk search head
historyExecuted on the Splunk search head
inputcsvExecuted on the Splunk search head
inputlookupExecuted on the Splunk search head
iplocation1Fully supported
joinExecuted on the Splunk search head
kmeansExecuted on the Splunk search head
loadjobExecuted on the Splunk search head
localopExecuted on the Splunk search head
makecontinuousExecuted on the Splunk search head
makeresultsExecuted on the Splunk search head
mapExecuted on the Splunk search head
metadataExecuted on the Splunk search head
mvcombineExecuted on the Splunk search head
nomvExecuted on the Splunk search head
outlierExecuted on the Splunk search head
outputlookupExecuted on the Splunk search head
outputtextExecuted on the Splunk search head
overlapExecuted on the Splunk search head
predictExecuted on the Splunk search head
rareFully supported
regexFully supported
renameWildcard-based renaming of similar fields not supported
replaceFully supported
restExecuted on the Splunk search head
returnExecuted on the Splunk search head
reverseExecuted on the Splunk search head
rexmode=sed, offset_field, and non-default max_match not supported
rtorder Executed on the Splunk search head
scrubExecuted on the Splunk search head
searchtxnExecuted on the Splunk search head
selfjoinExecuted on the Splunk search head
sendalertExecuted on the Splunk search head
sendemailExecuted on the Splunk search head
setExecuted on the Splunk search head
setfieldsFully supported
sirareFully supported
sistatsExecuted on the Splunk search head
sitopFully supported
sortSorting on calculated fields not supported
spathUsing without output argument not supported
statsOptional arguments not supported; see supported functions below
strcatExecuted on the Splunk search head
streamstatsSee supported functions below
tableFully supported
tailFully supported
timechartSee supported functions below
timewrapExecuted on the Splunk search head
topFully supported
transactionExecuted on the Splunk search head
transposeExecuted on the Splunk search head
trendlineExecuted on the Splunk search head
trequireExecuted on the Splunk search head
tstatsOptional arguments not supported; see supported functions below
typeaheadExecuted on the Splunk search head
untableExecuted on the Splunk search head
whereSee supported functions below
x11Executed on the Splunk search head
xyseriesExecuted on the Splunk search head

Supported syntax

Use the following operators for comparisons and boolean logic in federated searches and where expressions.
Functions such as like and match provide additional pattern-matching options.

Operator/SyntaxDescriptionExample
=Equal tostatus=200
!=Not equal tostatus!=200
>Greater thancount>400
>=Greater than or equal tototal_events>=5000
<Less thanhost_event_count<100
<=Less than or equal topercent<=50
""Exact phrase#processor="ec 20250806.1487.0"
*Wildcard matchinguri=*policy*
ANDMatch both conditionsmethod=GET AND status=404
ORMatch either or both conditionsstatus=500 OR level=error
NOTExclude results matching conditionNOT uri="/orders*"
INMatch any value from a list (in where or eval)where method IN (GET,POST)
NOT INExclude listed values (in where or eval)where NOT (user IN ("trixie9292","gusosborne"))
XORTrue when exactly one input is truewhere method=PUT XOR status=400
CASECase-sensitive matchCASE(Intel)

If a search term includes a space, enclose it in double quotes (").

Wildcard matching

Use * (asterisk) as a wildcard to match any characters within quoted search phrases.
Examples:

  • uri_path=/admin*
  • user=CASE(*admin*)
  • useragent=*bot*
  • clientip=192.168.*
  • useragent=*"Intel Mac"*
  • method="POST" AND uri=*/login*

You can’t search for the asterisk character itself, as it’s reserved for wildcards.
See Splunk wildcard documentation for details.

Evaluation operators

Evaluation expressions use functions and operators to calculate and compare values.
Lumi supports these operators:

  • Mathematical: +, -, *, /, %
  • Comparison: =, ==, !=, >, >=, <, <= (= and == are equivalent)
  • Unary minus: -
  • String concatenation: . (for example, first_name . " " . last_name)

Supported evaluation functions

Lumi supports the following evaluation functions:

Function typeSupported functions
Comparison and conditionalcase, cidrmatch, coalesce, false, if, like, match, null, nullif, searchmatch, true, validate
Date and timenow, relative_time, strftime, strptime, time
Informationalisbool, isdouble, isint, isnotnull, isnull, isnum, isstr
Mathematicalabs, ceiling / ceil, exp, floor, ln, pi, pow, round, sqrt
Multivalue evaluationmvappend, mvcount, mvindex, split
Textlen, lower, ltrim, replace, rtrim, spath, substr, trim, upper, urldecode
Trigonometric and hyperbolicacos, acosh, asin, asinh, atan, atan2, atanh, cos, cosh, hypot, sin, sinh, tan, tanh

Lumi supports Java regular expressions, not Perl-style regex.

Supported statistical and charting functions

Lumi supports the following statistical and charting functions:

Function typeSupported functions
Aggregate functionsavg, c, count, dc, distinct_count, estdc, estc_error, exactperc, max, mean, min, mode, range, stdev, stdevp, sum, sumsq, var, varp
Multivalue stats and chart functionsvalues
Time functionsearliest, earliest_time, latest, latest_time, rate

Learn more

See the following topics for more information:

Footnotes

  1. Lumi derives the location of IPs based on data from the IP to City Lite database by DB-IP. This database is licensed under a Creative Commons CC BY 4.0.