IAM key attribute reference
AI summary
About AI summaries.
An IAM key authorizes your requests to send or search events in Imply Lumi from a third-party application. When you create a key, you add and configure an integration for the application. These configuration settings are called IAM key attributes. IAM key attributes include default values for event metadata and configuration parameters to parse events.
This topic provides reference information on IAM key attributes. Before continuing, ensure that you have a basic understanding of the event model and IAM keys.
Global attributes
The global attributes Environment and Team apply to all ingestion integrations.
Lumi assigns these values to the env and team system attributes, respectively.
If you don't set the global attributes, Lumi doesn't create the system attributes.
You can only search system attributes within Lumi.
HEC attributes
HEC attributes configure default fields and indexing settings for the Splunk® HEC integration.
The following table describes the HEC attributes:
| Attribute | Description | Example | User attribute if null |
|---|---|---|---|
| Source ( source) | Default value for the origin of the events sent to Lumi. Lumi populates Source with http:IAM_KEY_NAME, which follows the default source name assignment in Splunk—http:TOKEN_NAME. Note that HEC token names are unique in Splunk, but IAM key names aren't unique in Lumi. | http:demo-key | N/A |
| Source type ( sourcetype) | Default value for the type of event data | access_combined | httpevent |
| Index ( index) | Default value for the index attribute. The index is stored as a user attribute on the event, not as the event's repository. For details, see Lumi concepts for Splunk users. | main | main |
| Allowed indexes | Comma-separated list of allowed values for the index field | main, demo | N/A |
| Indexer acknowledgment | Option to enable the data protocol for HEC indexer acknowledgment. Lumi expects HEC requests to contain a channel ID and returns an acknowledgment ID in the response. Unlike Splunk, the acknowledgment in Lumi indicates receipt of the event and doesn't confirm event ingestion. | Checked | N/A |
For attributes that store default values, understand how Lumi prioritizes attribute assignment in User attribute default values. Note that Allowed indexes and Indexer acknowledgment don't correspond to any user attributes.
S2S attributes
S2S attributes configure event parsing for tcpout, used with universal forwarders.
Lumi doesn't store S2S attributes with the events.
You can define multiple sets of S2S attributes on the same key. See Conditional attributes.
The following table describes the S2S attributes:
| Attribute | Description | Example | Default |
|---|---|---|---|
| Time prefix | String regular expression that matches the text pattern preceding the timestamp | [\w\.:]*\s[\w-]*\s[\w-]*\s\[ | Empty string |
| Max timestamp lookahead | Integer number that indicates the maximum character position to look for a timestamp. The position starts after the matched time prefix, if set. | 20 | 128 |
| Time format | String pattern in strptime format to extract timestamps | %d/%b/%Y:%H:%M:%S | Empty string |
| Should line merge | Boolean that controls merging of multi-line events | True | True |
For an example scenario, see Event parsing for S2S.
Note that these settings don't apply to heavy forwarders or S2S over HTTP (httpout).
S3 pull attributes
S3 pull attributes apply to the S3 pull integration that you use for recurring or backfill ingestion from objects in an S3 bucket.
Be sure to understand how Lumi prioritizes user attribute default values when you set source, sourcetype, or index.
If the IAM key attribute is null and you don't otherwise assign it in a pipeline, Lumi doesn't store the user attribute.
The following table describes the S3 pull attributes:
| Attribute | Description | Example |
|---|---|---|
| AWS role ARN (required) | Amazon Resource Name of your AWS IAM role. Imply assumes this role to access your bucket. Not stored with events. | arn:aws:iam::012345678910:role/demo-role |
| Source ( source) | Default value to describe the origin of events | example-bucket |
| Source type ( sourcetype) | Default value to describe the event data | access_combined |
| Index ( index) | Default value for the index. Lumi populates Index with main. | main |
| Format | Type of event format. Lumi auto-detects the format by default. Otherwise, you can select from one of the supported event formats. | CSV |
In addition to the IAM key values, Lumi assigns additional attributes specific to S3 pull ingestion. For more information, see Ingestion metadata.
Federated search attributes
Federated search attributes on a Lumi IAM key control how Splunk accesses and queries Lumi data. You can configure the following attributes:
-
Allowed indexes: Controls which Lumi indexes can be queried through federated search. See Configure allowed indexes for details on the available options.
-
Data model: Contains field mappings to translate between Lumi event fields and data model fields defined in Splunk. See Set up Splunk transparent federated search for details on how to configure the JSON object for this attribute.
Grafana attributes
Grafana attributes apply to the Grafana integration for searching Lumi events using Grafana Loki.
Use Labels on an IAM key to configure Lumi user attributes as Grafana Loki labels, making them available for filtering and querying in LogQL.
The Lumi index attribute automatically maps to service_name in Grafana.
See Configure user attributes as labels for details.
Learn more
For more information, see the following topics:
- IAM keys to learn about how IAM keys work in Lumi.
- Manage IAM keys to learn how to create and manage an IAM key.
- Lumi concepts for Splunk users to learn how default fields and event parsing relate between Lumi and Splunk.
- Index user attribute for assigning the index user attribute.