Skip to main content

Splunk federated search reference

Once you set up federated search, you can search an index in Imply Lumi using a federated index in Splunk®. With federated search, you use Splunk Search Processing Language (SPL) to query Lumi events.

This reference lists the SPL commands, syntax, and functions supported by Lumi for federated searches.

Search modes

Lumi supports all Splunk search modes for federated search. See the Splunk documentation on search modes for details.

Supported SPL commands

The following table describes Lumi support for federated search commands:

CommandLumi support
searchFully supported
binFully supported
chartSee supported functions below
evalFully supported
eventstatsSee supported functions below
fieldsFully supported
fillnullOptional arguments are unsupported
headFully supported
iplocationFully supported
rareFully supported
regexFully supported
renameRenaming similarly named fields using wildcards is unsupported
rexmode=sed, offset_field, and non-default max_match are unsupported
setfieldsFully supported
sirareFully supported
sitopFully supported
sortSorting on calculated fields is unsupported
spathUse without arguments is unsupported
statsSee supported functions below
streamstatsSee supported functions below
tableFully supported
tailFully supported
timechartSee supported functions below
topFully supported
tstatsSee supported functions below
whereFully supported

Supported syntax

Use the following operators for comparisons and boolean logic in federated searches and where expressions.
Functions such as like and match provide additional pattern-matching options.

Operator/SyntaxDescriptionExample
=Equal tostatus=200
!=Not equal tostatus!=200
>Greater thancount>400
>=Greater than or equal tototal_events>=5000
<Less thanhost_event_count<100
<=Less than or equal topercent<=50
""Exact phrase#processor="ec 20250806.1487.0"
*Wildcard matchinguri=*policy*
ANDMatch both conditionsmethod=GET AND status=404
ORMatch either or both conditionsstatus=500 OR level=error
NOTExclude results matching conditionNOT uri="/orders*"
INMatch any value from a list (in where or eval)where method IN (GET,POST)
NOT INExclude listed values (in where or eval)where NOT (user IN ("trixie9292","gusosborne"))
XORTrue when exactly one input is truewhere method=PUT XOR status=400
CASECase-sensitive matchCASE(Intel)

If a search term includes a space, enclose it in double quotes (").

Wildcard matching

Use * (asterisk) as a wildcard to match any characters within quoted search phrases.
Examples:

  • uri_path=/admin*
  • user=CASE(*admin*)
  • useragent=*bot*
  • clientip=192.168.*
  • useragent=*"Intel Mac"*
  • method="POST" AND uri=*/login*

You can’t search for the asterisk character itself, as it’s reserved for wildcards.
See Splunk wildcard documentation for details.

Evaluation operators

Evaluation expressions use functions and operators to calculate and compare values.
Lumi supports these operators:

  • Mathematical: +, -, *, /, %
  • Comparison: =, ==, !=, >, >=, <, <= (= and == are equivalent)
  • Unary minus: -
  • String concatenation: . (for example, first_name . " " . last_name)

Supported functions

Lumi supports the following functions:

Function typeSupported functions
Comparison and conditionalcase, cidrmatch, coalesce, false, if, like, match, null, nullif, searchmatch, true, validate
Date and timenow, relative_time, strftime, strptime, time
Informationalisbool, isdouble, isint, isnotnull, isnull, isnum, isstr
Mathematicalabs, ceiling / ceil, exp, floor, ln, pi, pow, round, sqrt
Multivalue evaluationmvappend, mvcount, mvindex, split
Textlen, lower, ltrim, replace, rtrim, spath, substr, trim, upper, urldecode

Lumi supports Java regular expressions, not Perl-style regex.

Learn more

See the following topics for more information: