Skip to main content

How to query Lumi using standard federated search

AI summary
Explains how to set up Imply Lumi as a standard federated data provider in Splunk®. Covers connecting Splunk to Lumi using IAM credentials and running federated queries. Demonstrates analyzing site traffic and error patterns in web events.

About AI summaries.

The next step in the tutorial workflow is learning how to use Splunk® standard federated search to query Imply Lumi events with SPL.

Standard mode requires the federated: prefix when searching. See Choosing a mode for information on selecting standard or transparent mode to query Lumi events.

This tutorial builds on the Quickstart and walks you through how to:

  • Configure standard federated search to connect Splunk to Imply Lumi.
  • Perform federated queries on Lumi events.

The steps assume that, as part of the Quickstart, you've already:

  • Added web logs to Lumi using the file upload feature.
  • Viewed and queried events in Lumi.

To complete the steps, you use sample web traffic data from a fictional online store. For background on the dataset and its format, see the tutorial data overview.

The following diagram summarizes the end-to-end process of searching events with Splunk. Yellow shaded boxes represent steps taken within Lumi, and blue shaded boxes represent steps taken outside Lumi. Click any box in the diagram to jump to that step.

Prerequisites

Before you begin, download an up-to-date version of the sample log file and upload it to Lumi.

To complete the tutorial, you need the following:

  • Access to Lumi with the Viewer role or higher.
    For information on roles and permissions, see Manage roles.
  • A Lumi IAM key with the federated search integration.
    See Create an IAM key for details.
  • A Splunk user with the admin_all_objects and indexes_edit capabilities. The following roles have these capabilities by default. See the Splunk documentation on security for federated search for more information.
    • Splunk Cloud: sc_admin
    • Splunk Enterprise: admin

1. Retrieve details from Lumi

In this step, you retrieve the information you need from Lumi.

  1. In Lumi, go to Integrations > Federated search.
  2. Select Standard SPL mode.
  3. Click Select or create key.
  4. Select your IAM key in the drop-down menu and click Select. Lumi automatically enables the key for the federated search integration.
  5. Copy the Remote host, Service account username, and Service account password. You'll need these details in the next step. Note that the remote host value is your Lumi host address prefixed by your IAM key ID, for example 8ee97d51-97f8-4c51-b44a-4b5bd7175abc.us1.spl.lumi.prod.imply.io:443.

Federated search integration

2. Create a standard federated provider

In this step, you add Lumi as a standard federated provider in Splunk. The federated provider connects to Lumi using your IAM key and Lumi host details.

  1. In Splunk Web, go to Settings ❯ Federation ❯ Add federated provider.
  2. Enter the following fields to integrate with Lumi:
    • Provider mode: Standard.
    • Provider name: federated-search-tutorial. Must be lowercase.
    • Remote host: Remote host value you copied in the previous step.
    • Service account username: Service account username you copied in the previous step.
    • Service account password: Service account password you copied in the previous step.
  3. Leave all other fields unchanged and click the Agree checkbox.
  4. Test the connection.
  5. Once the connection is successful, click Save.
  6. In the federated providers list, find federated-search-tutorial and set its status to Active. Important: Deactivate any other federated providers to this Lumi source. You can only have one active at a time.

Federated search provider

3. Create a federated index

In this step, you create a federated index in Splunk. The federated index connects to an index in Lumi. In this case, the index is set to main in the sample data.

  1. In Splunk Web, go to Settings ❯ Federation ❯ Federated Indexes > Add federated index.
  2. Select For Splunk to Splunk provider.
  3. Complete the following fields:
    • Federated index name: search-tutorial
    • Federated provider: federated-search-tutorial
    • Remote dataset type: Index
    • Dataset name: main
  4. Click Save.

Federated search index

In this step, you test your federated search setup.

  1. In Splunk Web, go to the Search & Reporting app.
  2. Set the time range to the last 7 days. You can also include earliest=-7d@d times in the query as shown below, which overrides the time range selector.
  3. Enter the following query: 
    index="federated:search-tutorial" earliest=-7d@d host=web-01

This returns events from the sample log file in Lumi and includes host to filter out any other events in the same time range.

Federated search test

5. Run federated queries

In this step, you run a series of federated queries to explore site traffic, identify errors, understand request patterns, and enrich the data with a calculated field.

The example output may not exactly match yours. The queries use a relative 7-day time range, and the sample data has fixed timestamps, so results depend on when you downloaded the file.

  1. List the top 5 uri by access count:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | top uri limit=5

    Example output:

    uricountpercent
    /categories12337.272727
    /cart4413.333333
    /admin3811.515152
    /329.696970
    /search216.363636

  2. Show events with status 500 or higher, and count how many times each status occurred:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | where status >= 500
    | stats count by status

    Example output:

    statuscount
    5003
    5027
    5039
    5043

  3. Find all requests for a particular user with status not equal to 200, and display the specified fields in a table:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | where status != 200 
    | where user = "gusosborne" 
    | table _time user status uri_path

    Example output:

    _timeuserstatusuri_path
    2025-07-29 02:58:09gusosborne403/
    2025-07-25 15:26:02gusosborne304/product/eclipse-wall-sconce
    2025-07-25 16:53:47gusosborne304/cart
    2025-07-29 02:51:29gusosborne403/categories/smart-lighting/app-controlled-lamp

  4. Show average bytes per method, rounded to 2 decimal places:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | stats avg(bytes) as avg_bytes by method
    | eval avg_bytes = round(avg_bytes, 2)

    Example output:

    methodavg_bytes
    DELETE4548.42
    GET4517.34
    OPTIONS1235.00
    POST5601.80
    PUT5002.06

  5. Extract the operating system from the useragent field, count how often each OS appears, and display the five most common ones:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | rex field=useragent "\((?<os>[^;]+);"
    | stats count by os
    | sort -count
    | head 5

    Example output:

    oscount
    Macintosh114
    Windows NT 10.086
    Linux70
    iPhone18
    Windows NT 6.116

  6. Add a field to mark responses with bytes greater than 5000:

    index="federated:search-tutorial" earliest=-7d@d host=web-01 
    | eval big_response = if(bytes > 5000, "yes", "no") | table bytes, big_response

    Example output:

    bytesbig_response
    8934yes
    2659no
    452no
    917no

Learn more

To build on this tutorial, follow How to convert a Splunk dashboard for federated search to update a Splunk dashboard to use federated search queries against Lumi.

See the following topics for more information: