Skip to main content

Search events with Lumi

You can search for specific events in Imply Lumi. Click Explore in the navigation menu to get started.

The explore view lists all events in Lumi that match the search criteria and occurred during a specified time period. See Tour Lumi for an overview of the elements on the page.

Explore main

The events timeline shows the number of events created during the selected time period. Click a bar and select Zoom in to filter on those events.

To search for events, you can use the search bar, the attributes panel, or a combination of both.

Prerequisites

To search for events, you need a Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.

To search for events using the search bar:

  1. Enter your query into the search bar, or click to display a list of user attributes. See Lumi query syntax for a list of supported operators.

    • If you select or type the name of a user attribute followed by =, Lumi displays a list of unique event data for that attribute. Select a single entry to display matching events.
    • To search by a system attribute, type a hash (#). Lumi displays a list of system attributes you can select.

  2. Use the time range selector next to the search bar to select a time range for the search. The default time range is the past 15 minutes. You can select a predefined time range or click Fixed range to set your own start and end date/time. Lumi search includes the earliest time and excludes the latest time.

  3. Press Enter or click the search icon to execute the search.

  4. Click x inside the search bar to clear the search.

Refresh events

The explore view refreshes periodically to display any new events added to Lumi that meet the current search criteria.

The events list doesn't refresh if you scrolled down the events list or if you opened the event details pane. In these cases, the auto-refresh only applies to the events timeline and attributes panel. Once you close the details pane or scroll to the top of the events list, the auto-refresh cycle continues.

You can also click the refresh button above the events list to manually refresh the explore view.

The following example searches for events with system attribute #receiver="imply.file" and user attribute splunk_server="observe-01" for the past day:

Example search

Click an event in the events list to see its full details:

Event details

Click a user or system attribute to open a menu where you can add the attribute and its value to the current search, exclude it from the search, or replace the current search. You can also add a column for a user attribute to the events list.

Share a query URL

Once you perform a search in the explore view, you can copy and share the query URL. For example:

https://mylumi.imply.io/explore?past=P1W&query=host%3Dweb-01+bytes>5000

You can also highlight an event in the list and copy the URL that links directly to that event, for example:

https://mylumi.imply.io/explore?past=P1W&query=host%3Dweb-01+bytes%3E5000&focus.id=e_01K0CPH2ZTT7EG2E3P42BC23WC-527&focus.ts=1752708808000

The URL loads the query with the event details pane opened for the highlighted event. Note that only Lumi users with the Viewer role or higher can view the URL. For information on roles and permissions, see Manage roles.

When you share a query URL with a relative time range such as Past day, the events list might show different events depending on when the URL is opened. Switch to a fixed time range before you copy the URL to share a specific range of events.

Use the attributes panel

You can use the attributes panel to select and deselect data in user and system attributes. User attributes appear at the top of the attributes panel. System attributes appear at the bottom with the suffix (system), for example Receiver (system).

Lumi updates the search bar as you select and deselect data. Conversely, Lumi updates attributes panel selections as you enter search criteria into the search bar.

The list of matching events updates if you make changes to the time range selector.

You can start a search using the attributes panel, and then modify it directly in the search bar according to your requirements.

The following example displays events in the past day that don't contain the notice status:

De-selected attribute search

info

If the attribute selection uses unsupported syntax, Lumi displays a message, such as "Syntax [>=] used in search is not yet supported."

Learn more

See the following topics for more information: