Lumi query syntax
This topic provides a reference for Imply Lumi query operators and syntax.
For more information about searching events, see Search events with Lumi.
Supported syntax
Use the following operators and syntax in Lumi queries to filter events, compare values, and combine conditions.
If your search term includes a space, enclose it in double quotes (").
| Operator/Syntax | Use | Example |
|---|---|---|
= | Equal to | index=main |
!= | Not equal to | method!=POST |
> | Greater than | bytes>5000 |
>= | Greater than or equal to | date_hour>=13 |
< | Less than | bytes<5000 |
<= | Less than or equal to | date_mday<=4 |
AND | Match both conditions | method=GET AND status=404 |
OR | Match either or both conditions | splunk_server=observe-01 OR host=web-01 |
NOT | Exclude results that match a condition | NOT uri=/register |
IN | Match if a field's value is in a list | user IN (aaron94,jasmine23) |
NOT IN | Match if a field's value is not in a list | NOT status IN (400,401,403) |
(a AND b) OR c | Control the order of operations of Boolean expressions | (uri=/shop AND uri_path=/shop) OR user=bernd74 |
attributeName=* | Match when an attribute is not null | referer=* |
NOT attributeName=* | Match when an attribute is null or not set | NOT useragent=* |
"" | Search for an exact phrase | useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)" |
* | Wildcard matching | useragent="*Windows NT*" |
# | System attribute query | #receiver=imply.file |
Note the following:
- All queries are case-sensitive.
- You can type a space to match search conditions instead of using the
ANDoperator, for examplemethod=GET status=404. - To search for a term containing special characters, enclose it in double quotation marks (
") or escape it with a backslash (\). For example, to search for the stringerror (critical), use the search term"error (critical)"orerror \(critical\). - To search for a double quotation mark itself, escape it with a backslash (
\). For example, to search for the string"404 not found", use the search term\"404 not found\".
See search limitations for a list of unsupported syntax elements.
Search limitations
Lumi doesn't currently support the following search syntax elements:
- Pipes to chain query operations or transform data, for example
a | b - Approximate equals, for example
attributeName~=searchterm - Searching JSON values within an event body
- Splunk® Search Processing Language (SPL)
Learn more
See the following topics for more information:
- Tour Lumi for how to navigate and use the Lumi UI.
- How to search events with Lumi to walk through set of queries for an example web store.
- Set up federated search to set up the federated search integration and query Lumi events from Splunk.