Splunk federated search reference
Once you set up federated search, you can search an index in Imply Lumi using a federated index in Splunk®.
With federated search, you use Splunk Search Processing Language (SPL) to query Lumi events.
This reference provides federated search examples using SPL commands, functions, and expressions that Lumi supports. For details on supported operators and search syntax, see Federated search syntax.
Supported commands
Some SPL commands in federated search run on the federated search head (Splunk) and others run on the remote search head (Lumi). This topic lists commands that run on the federated search head by design and commands Imply has implemented on the remote search head.
If you want to use an SPL command that isn't listed here, try it out - it might work. If it doesn't, contact your Imply representative. We're adding more commands to the remote search head and we can prioritize the commands you need.
See the documentation on Splunk command types for information on how and where the search head processes commands.
Search modes
Lumi supports all Splunk search modes for federated search. See the Splunk documentation on search modes for more information.
Examples
You can run the example federated search queries below against the example data for tutorials.
search
The search keyword is implied at the beginning of a query.
Use search explicitly in nested searches and when filtering later in a query.
Count events by HTTP status, then filter the result to only the 200 and 404 rows:
index="federated:lumi_main"
| stats count by status
| search status=200 OR status=404
Example output:
status | count |
|---|---|
200 | 10 |
400 | 6 |
For more information, see the Splunk documentation on search.
bin
Group events into 1-hour time intervals and count how many events occur in each interval:
index="federated:lumi_main"
| bin _time span=1h
| stats count by _time
| sort _time
Example output:
_time | count |
|---|---|
2025-07-15 00:00:00 | 17 |
2025-07-15 01:00:00 | 22 |
2025-07-15 02:00:00 | 9 |
2025-07-15 03:00:00 | 14 |
For more information, see the Splunk documentation on bin.
eval
Check if the useragent exactly matches Google's bot identifier and count how many events are from bots versus non-bots:
index="federated:lumi_main"
| eval is_bot=if(useragent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "yes", "no")
| stats count by is_bot
Example output:
is_bot | count |
|---|---|
no | 254 |
yes | 54 |
For more information, see the Splunk documentation on eval.
eventstats
Add a field to every event showing how many events its user has in the result set:
index="federated:lumi_main"
| eventstats count as user_event_count by user
For more information, see the Splunk documentation on eventstats.
fields
Find all HTTP 400 (Bad Request) events, displaying only the host, source, and method fields in the results:
index="federated:lumi_main" status=400 | fields host, source, method
For more information, see the Splunk documentation on fields.
fillnull
Note that Lumi doesn't support the use of optional arguments with fillnull.
Count events grouped by referer and replace any missing referer values with NULL:
index="federated:lumi_main" | stats count by referer
| fillnull
Example output:
referer | count |
|---|---|
https://www.pinterest.com/ | 1 |
https://www.ebay.com/ | 3 |
NULL | 5 |
For more information, see the Splunk documentation on fillnull.
head
Search for events where method is either GET or POST, and show the five most recent results:
index="federated:lumi_main" method IN (GET, POST) | head 5
For more information, see the Splunk documentation on head.
rare
Find the two least common combinations of uri and user, excluding events where the user is - and the uri is /:
index="federated:lumi_main"
| where user != "-" AND uri != "/"
| eval combo = uri . " - " . user
| rare limit=2 combo
Example output:
combo | count | percent |
|---|---|---|
/.bash_history - admin374 | 1 | 0.217865 |
/.bash_history - elaine554 | 1 | 0.217865 |
For more information, see the Splunk documentation on rare.
regex
Show only those events where the uri_path matches a two-level category path under /categories/. Display the user and uri_path.
index="federated:lumi_main"
| regex uri_path="^/categories/[^/]+/[^/]+"
| table user uri_path
Example output:
user | uri_path |
|---|---|
alice997 | /categories/indoor-lighting/eclipse-wall-sconce |
kennethjohnson | /categories/smart-lighting/voice-controlled-bulb |
dorothy3321 | /categories/outdoor-lighting/solar-path-light |
For more information, see the Splunk documentation on regex.
rename
Note that Lumi doesn't support renaming similarly named fields using wildcards.
Count events by status code and rename the status field to http_status for clearer labeling in the output:
index="federated:lumi_main"
| stats count by status
| rename status AS http_status
For more information, see the Splunk documentation on rename.
rex
Note that Lumi doesn't support the following rex arguments:
mode=sedoffset_fieldmax_matchapart from the defaultmax_match=1
Extract the operating system from the useragent string and display it alongside the user:
index="federated:lumi_main"
| rex field=useragent "\((?<os>[^;]+);"
| table user os useragent
Example output:
user | os | useragent |
|---|---|---|
admin728 | Windows NT 10.0 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 |
parkeranthony | Linux | Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Mobile Safari/537.36 |
kramercosmo | Macintosh | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 |
For more information, see the Splunk documentation on rex.
setfields
Set the host, status, and uri fields to specific values and display the results in a table:
index="federated:lumi_main"
| setfields host="10.0.1.19", status="200", uri="/shipping-policy"
| table host, status, uri, _time
For more information, see the Splunk documentation on setfields.
sirare
Find and display statistically rare users among successful requests, excluding anonymous ones:
index="federated:lumi_main"
| where user != "-" AND status=200
| sirare user
| table user
For more information, see the Splunk documentation on sirare.
sitop
Identify statistically significant URIs that start with /admin/ and returned a 200 status to highlight paths accessed more frequently than expected:
index="federated:lumi_main"
| where status=200 AND match(uri_path, "^/admin/")
| sitop uri_path
For more information, see the Splunk documentation on sitop.
sort
Note that you can't sort on calculated fields.
Retrieve all HTTP 400 (Bad Request) events, show the host, source, and method fields only, and sort the results alphabetically by host:
index="federated:lumi_main"
| status=400
| fields host, source, method
| sort host
For more information, see the Splunk documentation on sort.
stats
Note that Lumi doesn't support the use of optional arguments with stats.
Count the total number of successful requests and the number of unique client IPs:
index="federated:lumi_main" status=200
| stats count AS total_requests, dc(clientip) AS unique_ips
Example output:
total_requests | unique_ips |
|---|---|
171 | 145 |
For more information, see the Splunk documentation on stats.
streamstats
Show a running count of events per user over time, excluding anonymous users, to track how each user’s activity accumulates chronologically:
index="federated:lumi_main"
| where user != "-"
| streamstats count as user_request_count by user
For more information, see the Splunk documentation on streamstats.
table
Display a table of selected fields for easy viewing and analysis:
index="federated:lumi_main"
| table _time, clientip, status, user
Example output:
_time | clientip | status | user |
|---|---|---|---|
2025-05-13 14:22:21 | 53.3.39.88 | ok | sanderskimberley |
2025-05-13 14:22:36 | 147.197.48.174 145 | ok | kevin10 |
2025-05-13 14:22:58 | 154.24.52.81 145 | ok | cheryl33 |
For more information, see the Splunk documentation on table.
tail
Search for all HTTP 400 (Bad Request) events, returning only the last three matching events:
index="federated:lumi_main" status=400 | tail 3
For more information, see the Splunk documentation on tail.
top
Show the most common URIs accessed in the index, with how often they appear and their percentage of total events:
index="federated:lumi_main" | top uri
Example output:
uri | count | percent |
|---|---|---|
/home | 524 | 23.4% |
/shipping-policy | 312 | 13.9% |
/contact | 290 | 12.9% |
For more information, see the Splunk documentation on top.
tstats
Assuming the sample data is mapped to the Web data model, count the number of events per host using the Web object:
tstats count AS host_event_count BY host
FROM datamodel=Web.Web
WHERE index="federated:lumi_main"
Example output:
host | host_event_count |
|---|---|
web-01 | 854 |
Note that Lumi doesn't support the use of optional arguments with tstats.
For more information, see the Splunk documentation on tstats.
where
Retrieve events where the host is 10.0.1.19 and the status is 200:
index="federated:lumi_main"
| WHERE host = "10.0.1.19" AND status = 200
For more information, see the Splunk documentation on where.
Supported functions and operators
The following SPL commands supported in Lumi use evaluation functions:
evalfieldformatheadwhere
Evaluation functions use operators to generate results. Lumi supports the following operators:
- Mathematical:
+,-,*,/,%. - Comparison:
=,==,!=,>,>=,<,<=. - Unary minus:
-. - Period for concatenation:
..
Lumi supports the following functions:
- Comparison and conditional:
casecidrmatchcoalescefalseifmatch
Lumi supports Java regex matching, not Perl regex matching.nullnullifsearchmatchtruevalidate
- Date and time:
nowrelative_timestrftimestrptimetime
- Informational:
isboolisdoubleisintisnotnullisnullisnumisstr
- Mathematical:
absceiling/ceilexpfloorlnpipowroundsqrt
- Text:
lenlowerltrimrtrimsubstrtrimupperurldecode
Examples
You can run the example federated search queries below against the example data for tutorials.
Create a new field is_success that equals 1 when status is 200 and 0 otherwise, and show a table with _time, user, status, and is_success.
index=index="federated:lumi_main"
| eval is_success = if(status==200, 1, 0)
| table _time user status is_success
Example output:
_time | user | status | is_success |
|---|---|---|---|
2025-05-13 11:22:21 | aaron94 | 400 | 0 |
2025-05-13 14:38:29 | michelle00 | 301 | 0 |
2025-05-13 14:38:18 | ochambers | 200 | 1 |
Concatenate uri and user with a colon, add to a new field uri_user, and show a table with _time, uri, user, and uri_user.
index=index="federated:lumi_main"
| eval uri_user = uri . ":" . user
| table _time, uri, user, uri_user
Example output:
_time | uri | user | uri_user |
|---|---|---|---|
2025-05-13 11:22:21 | /logout | aaron94 | /logout:aaron94 |
2025-05-13 11:22:19 | /account | eric52 | /account:eric52 |
2025-05-13 11:22:15 | /shop | rhawkins | /shop:rhawkins |
Learn more
See the following Splunk documentation for information on the functions and expressions Splunk supports:
See the following Lumi topics for more information:
- Set up federated search for details on configuring federated search of Lumi events within Splunk.
- Federated search syntax for operators and syntax Lumi supports for federated search.
- How to search events with Splunk to walk through performing federated queries on Lumi events.