Transparent federated search
AI summary
About AI summaries.
Transparent mode federated search lets you query Imply Lumi events from Splunk® without the federated: prefix.
This mode is required for data model queries and lookups, and provides seamless integration between Lumi and Splunk data sources.
With transparent mode, you can configure field mappings on a Lumi IAM key to translate between Splunk data model fields and Lumi event fields. The transparent federated provider then routes queries from Splunk to Lumi and returns results.
See Query events with data models and Enrich Lumi events with Splunk lookups for an overview of how data models and lookups work with Lumi, and Set up transparent federated search to configure the integration.
Splunk knowledge objects
Lumi supports the following Splunk knowledge objects in transparent mode federated search:
- Alerts
- Data models—see Query events with data models for details
- Lookups—see Enrich Lumi events with Splunk lookups for details
- Reports
- Saved searches
- Search macros
- Workflow actions
See Known limitations for details of unsupported knowledge objects.