Skip to main content

Set up Splunk federated search

AI summary
Configure Splunk to query Imply Lumi events using federated search. Set up a federated provider and federated index in Splunk to search Lumi data alongside existing Splunk logs.

About AI summaries.

You can issue queries on Imply Lumi events in Splunk® software. When querying Lumi in Splunk, you use the Splunk query syntax, the Splunk Search Processing Language (SPL).

Splunk offers two federated provider modes:

  • Standard mode: Requires the federated: prefix to query Lumi indexes. Use this mode when you want explicit control over which federated indexes are queried.
  • Transparent mode: Queries Lumi without the federated: prefix. Required for data model queries. See Query Lumi events with data models for details.

This topic provides details on configuring standard mode federated search of Lumi events within Splunk.

See How to search events with Splunk to walk through federated search setup and run example queries.

Prerequisites

To set up federated search, you need the following:

  • A Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.
  • A Lumi IAM key with the federated search integration. See Create an IAM key for details.
    If you assigned attributes on the IAM key before sending events, Lumi enriches the events with those attributes. To search Lumi events in Splunk, you need an IAM key to authenticate Lumi as a federated provider.

Add a federated provider

To add Lumi as a standard federated provider:

  1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Providers > Add federated provider.
  2. Complete the following fields:
    • Provider mode: Standard.
    • Provider name: Name that you'll reference in the federated index.
    • Remote host: Host address provided by Lumi.
    • Service account username: IAM key ID.
    • Service account password: IAM key token.
  3. Complete all other fields based on your specific setup and requirements.
  4. Click Save.

Create a federated index

To create a federated index in Splunk that reads from the Lumi standard federated provider:

  1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Indexes > Add federated index.
  2. Select For Splunk to Splunk provider.
  3. Complete the following fields:
    • Federated index name: Descriptive name for the federated index.
      You use the name of the federated index when searching Lumi within Splunk.
    • Federated provider: Name of the Lumi federated provider created in Splunk.
    • Remote dataset: Select Index and enter the name of the Lumi index to search.
      If you have multiple indexes in Lumi that you want to search, create a federated index for each one.
  4. Click Save.

Example

Consider a Splunk environment in which you have a main index storing your logs. You want to start analyzing events from Lumi alongside these logs. You send events to Lumi into the default index that's also called main.

To search Lumi in Splunk, you complete the following steps:

  • Create a standard federated provider for Lumi called lumi.
  • Create a federated index called lumi_main.
  • Query Lumi from Splunk using the federated label and index name, federated:lumi_main.

The following diagram illustrates this scenario:

federated search example

Search for events

Once you configure the standard federated provider and federated index, you can query Lumi events in Splunk.

To search for Lumi events:

  1. Open the Search & Reporting app in Splunk.

  2. Enter your query into the search bar, using the following syntax to specify the federated index:

    index=federated:FEDERATED_INDEX_NAME

    For example:

    index=federated:lumi_main host=web-01

  3. Use the time range selector next to the search bar to select a time range for the search. The default time range is the past 15 minutes. You can select a preset time range or click Date range to set your own start and end date/time. Splunk search excludes the earliest and latest times.

  4. Press Enter or click the search icon to execute the search.

For federated search examples using supported SPL commands, see Federated search examples.

User and system attributes

Federated search supports querying user attributes but not system attributes. To search system attributes, query directly within Lumi.

Learn more

See the following topics for more information: