Skip to main content

Set up Splunk standard federated search

AI summary
Explains how to set up a standard federated provider in Splunk® so you can query Lumi events alongside your Splunk logs.

About AI summaries.

You can query Imply Lumi events directly from Splunk® with SPL using federated search. The Lumi federated search integration allows you to analyze Lumi data alongside your Splunk data without duplicating data or changing your existing workflows.

Standard federated search requires the federated: prefix to query Lumi indexes from Splunk. This mode gives you explicit control over which federated indexes are queried, making it useful when you want to distinguish between local Splunk data and federated Lumi data in your searches.

This topic provides details on configuring standard mode federated search. For an overview of both standard and transparent modes, see Search events with Splunk.

Prerequisites

To set up federated search, you need a Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.

Configure a Lumi IAM key

To search Lumi events in Splunk, you need an IAM key to authenticate Lumi as a federated provider.

To set up the IAM key:

  1. From the Lumi navigation menu, click Integrations > Federated search.
  2. Select Standard.
  3. Select or create an IAM key. See Create an IAM key for details.

Add a federated provider

To add Lumi as a standard federated provider:

  1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Providers > Add federated provider.
  2. Complete the following fields:
    • Provider mode: Standard.
    • Provider name: Name that you'll reference in the federated index.
    • Remote host: Host address provided by Lumi.
    • Service account username: IAM key ID.
    • Service account password: IAM key token.
  3. Complete all other fields based on your specific setup and requirements.
  4. Click Save.

Create a federated index

To create a federated index in Splunk that reads from the Lumi standard federated provider:

  1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Indexes > Add federated index.
  2. Select For Splunk to Splunk provider.
  3. Complete the following fields:
    • Federated index name: Descriptive name for the federated index.
      You use the name of the federated index when searching Lumi within Splunk.
    • Federated provider: Name of the Lumi federated provider created in Splunk.
    • Remote dataset: Select Index and enter the name of the Lumi index to search.
      If you have multiple indexes in Lumi that you want to search, create a federated index for each one.
  4. Click Save.

Example

Consider a Splunk environment in which you have a main index storing your logs. You want to start analyzing events from Lumi alongside these logs. You send events to Lumi into the default index that's also called main.

To search Lumi in Splunk, you complete the following steps:

  • Create a standard federated provider for Lumi called lumi.
  • Create a federated index called lumi_main.
  • Query Lumi from Splunk using the federated label and index name, federated:lumi_main.

The following diagram illustrates this scenario:

federated search example

Search for events

Once you configure the standard federated provider and federated index, you can query Lumi events in Splunk.

To search for Lumi events:

  1. Open the Search & Reporting app in Splunk.

  2. Enter your query into the search bar, using the following syntax to specify the federated index:

    index=federated:FEDERATED_INDEX_NAME

    For example:

    index=federated:lumi_main host=web-01

  3. Use the time range selector next to the search bar to select a time range for the search. The default time range is the past 15 minutes. You can select a preset time range or click Date range to set your own start and end date/time. Splunk search excludes the earliest and latest times.

  4. Press Enter or click the search icon to execute the search.

For federated search examples using supported SPL commands, see Federated search examples.

User and system attributes

Federated search supports querying user attributes but not system attributes. To search system attributes, query directly within Lumi.

Learn more

See the following topics for more information: