IAM key attribute reference
AI summary
About AI summaries.
An IAM key authorizes your requests to send or search events in Imply Lumi from a third-party application. When you create a key, you add and configure an integration for the application. These configuration settings are called IAM key attributes. IAM key attributes include default values for event metadata and configuration parameters to parse events. To learn how Lumi prioritizes assignment for attributes that store default values, see User attribute defaults.
This topic provides reference information on IAM key attributes. Before continuing, ensure that you have a basic understanding of the event model and IAM keys.
Global attributes
The global attributes Environment and Team apply to all ingestion integrations.
Lumi assigns these values to the env and team system attributes, respectively.
If you don't set the global attributes, Lumi doesn't create the system attributes.
You can only search system attributes within Lumi.
HEC attributes
HEC attributes configure default fields and indexing settings for the Splunk® HEC integration.
The following table describes the HEC attributes:
| Attribute | Description | Example | User attribute if null |
|---|---|---|---|
| Source | Default value for source user attribute.Lumi populates Source with http:IAM_KEY_NAME, which follows the default source name assignment in Splunk—http:TOKEN_NAME. Note that HEC token names are unique in Splunk, but IAM key names aren't unique in Lumi. | http:demo-key | Not assigned |
| Source type | Default value for sourcetype user attribute | access_combined | httpevent |
| Index | Default value for index user attribute | main | main |
| Allowed indexes | Accepted index values for incoming HEC events. If none are specified, Lumi accepts events with any index value. | main, demo | N/A |
| Indexer acknowledgment | Whether to enable the data protocol for HEC indexer acknowledgment. When selected, HEC requests must include a channel ID, and Lumi returns an acknowledgment ID in the API response. Unlike Splunk, the acknowledgment in Lumi indicates receipt of the event and doesn't confirm event ingestion. | Checked | N/A |
S2S attributes
S2S attributes configure event parsing for tcpout, used with universal forwarders.
Lumi doesn't store S2S attributes with the events.
You can define multiple sets of S2S attributes on the same key. See Conditional attributes.
The following table describes the S2S attributes:
| Attribute | Description | Example | Default |
|---|---|---|---|
| Time prefix | String regular expression that matches the text pattern preceding the timestamp | [\w\.:]*\s[\w-]*\s[\w-]*\s\[ | Empty string |
| Max timestamp lookahead | Integer number that indicates the maximum character position to look for a timestamp. The position starts after the matched time prefix, if set. | 20 | 128 |
| Time format | String pattern in strptime format to extract timestamps | %d/%b/%Y:%H:%M:%S | Empty string |
| Should line merge | Boolean that controls merging of multi-line events | True | True |
For an example scenario, see Event parsing for S2S.
Note that these settings don't apply to heavy forwarders or S2S over HTTP (httpout).
S3 pull attributes
S3 pull attributes apply to the S3 pull integration that you use for recurring or backfill ingestion from objects in an S3 bucket.
The following table describes the S3 pull attributes:
| Attribute | Description | Example | Lumi behavior when null |
|---|---|---|---|
| AWS role ARN (required) | Amazon Resource Name of your AWS IAM role. Imply assumes this role to access your bucket. | arn:aws:iam::012345678910:role/demo-role | Key not created |
| Source | Default value for source user attribute | example-bucket | No attribute assigned |
| Source type | Default value for sourcetype user attribute | access_combined | No attribute assigned |
| Index | Default value for index user attribute.Lumi populates Index with main. | main | No attribute assigned |
| Format | Type of event format. Select from one of the supported event formats. | CSV | Automatic format detection |
In addition to the IAM key values, Lumi assigns additional attributes specific to S3 pull ingestion. For more information, see Ingestion metadata.
Federated search attributes
Federated search attributes on a Lumi IAM key control how Splunk accesses and queries Lumi data. You can configure the following attributes:
-
Allowed indexes: Controls which Lumi indexes can be queried through federated search. See Configure allowed indexes for details on the available options.
-
Query timeout: Controls how long a query can run before it is automatically canceled. The timeout value must be between 5 and 60 minutes.
-
Data model: Contains field mappings to translate between Lumi event fields and data model fields defined in Splunk. Applies to transparent mode federated search only. See Set up Splunk transparent federated search for details on how to configure the JSON object for this attribute.
Grafana attributes
Grafana attributes apply to the Grafana integration for searching Lumi events using Grafana Loki.
Use Labels on an IAM key to configure Lumi user attributes as Grafana Loki labels, making them available for filtering and querying in LogQL.
The Lumi index attribute automatically maps to service_name in Grafana.
See Configure user attributes as labels for details.
Learn more
For more information, see the following topics:
- IAM keys to learn about how IAM keys work in Lumi.
- Manage IAM keys to learn how to create and manage an IAM key.
- Lumi concepts for Splunk users to learn how default fields and event parsing relate between Lumi and Splunk.
- Index user attribute for assigning the index user attribute.