Set up Splunk standard federated search

AI summary

Explains how to configure standard mode federated search to query Imply Lumi events from Splunk® using SPL. Covers IAM key setup, federated provider configuration, and index creation for explicit control over federated data sources.

About AI summaries.

You can query Imply Lumi events directly from Splunk® with SPL using federated search. The Lumi federated search integration allows you to analyze Lumi data alongside your Splunk data without duplicating data or changing your existing workflows.

Standard federated search requires the federated: prefix to query Lumi indexes from Splunk. This mode gives you explicit control over which federated indexes are queried, making it useful when you want to distinguish between local Splunk data and federated Lumi data in your searches.

This topic provides details on configuring standard mode federated search. For an overview of both standard and transparent modes, see Search events with Splunk.

Prerequisites

To set up federated search, you need a Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.

Configure a Lumi IAM key

To search Lumi events in Splunk, you need an IAM key to authenticate Lumi as a federated provider.

To set up the IAM key:

1. From the Lumi navigation menu, click Integrations > Federated search.
2. Select Standard.
3. Select or create an IAM key. See Create an IAM key for details.
4. Configure the allowed indexes.
5. Save your changes.

Configure allowed indexes

The allowed indexes setting on the IAM key controls which Lumi indexes can be queried through the federated search integration.

In the Allowed indexes field on the IAM key, choose one of the following options:

• All: Query all indexes without restrictions. We recommend using Enter specific to control query scope and reduce load.
• None: Block direct queries to indexes.
• Enter specific: Enter the names of specific Lumi indexes to enable for queries.

Add a federated provider

To add Lumi as a standard federated provider:

1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Providers > Add federated provider.
2. Complete the following fields:
   • Provider mode: Standard.
   • Provider name: Name that you'll reference in the federated index.
   • Remote host: Host address provided by Lumi.
   • Service account username: IAM key ID.
   • Service account password: IAM key token.
3. Complete all other fields based on your specific setup and requirements.
4. Click Save.

Create a federated index

To create a federated index in Splunk that reads from the Lumi standard federated provider:

1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Indexes > Add federated index.
2. Select For Splunk to Splunk provider.
3. Complete the following fields:
   • Federated index name: Descriptive name for the federated index.
     You use the name of the federated index when searching Lumi within Splunk.
   • Federated provider: Name of the Lumi federated provider created in Splunk.
   • Remote dataset: Select Index and enter the name of the Lumi index to search.
     If you have multiple indexes in Lumi that you want to search, create a federated index for each one.
4. Click Save.

info

For standard mode federated search to work correctly, you must configure both:

• The Lumi IAM key to include that index (for example, main) in the allowed indexes list.
• A Splunk federated index that references the Lumi index (for example, main).

If the Splunk federated index references a Lumi index that isn't allowed for querying, queries will return no results.

Example

Consider a Splunk environment in which you have a main index storing your logs. You want to start analyzing events from Lumi alongside these logs. You send events to Lumi into the default index that's also called main.

To search Lumi in Splunk, you complete the following steps:

• Create a standard federated provider for Lumi called lumi.
• Create a federated index called lumi_main.
• Query Lumi from Splunk using the federated label and index name, federated:lumi_main.

The following diagram illustrates this scenario:

Learn more

Once you've completed the setup, you can start querying Lumi events from Splunk. See the following topics for more information:

• Federated search reference for supported SPL commands and syntax.
• Federated search examples for sample queries with example output.
• Set up Splunk transparent federated search to set up transparent federated search of Lumi events with data models.