Lumi query syntax reference

AI summary

Describes query operators and syntax for Imply Lumi to filter events and combine conditions. Covers supported syntax for searches, including indexing timestamp queries. Lists current Lumi search limitations.

About AI summaries.

This topic provides a reference for Imply Lumi query operators and syntax.

For more information about searching events, see Search events with Lumi.

Supported syntax

Use the following operators and syntax in Lumi queries to filter events, compare values, and combine conditions.

Operator/Syntax	Use	Example
`=`	Equal to	`index=main`
`!=`	Not equal to	`method!=POST`
`>`	Greater than	`bytes>5000`
`>=`	Greater than or equal to	`date_hour>=13`
`<`	Less than	`bytes<5000`
`<=`	Less than or equal to	`date_mday<=4`
`AND`	Match both conditions A space between two conditions represents an implicit `AND`.	`method=GET AND status=404` `method=GET status=404`
`OR`	Match either or both conditions	`splunk_server=observe-01 OR host=web-01`
`NOT`	Exclude results that match a condition	`NOT uri=/register`
`IN`	Match if a field's value is in a list	`user IN (aaron94,jasmine23)`
`NOT IN`	Match if a field's value is not in a list	`NOT status IN (400,401,403)`
`(a AND b) OR c`	Control the order of operations of Boolean expressions	`(uri=/shop AND uri_path=/shop) OR user=bernd74`
`attributeName=*`	Match when an attribute is not null	`referer=*`
`NOT attributeName=*`	Match when an attribute is null or not set	`NOT useragent=*`
`""`	Search for an exact phrase	`useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"`
`*`	Wildcard matching	`useragent="Windows NT"`
`#`	System attribute query	`#receiver=imply.file`
`CASE`	Case-sensitive values You can use `CASE` in keyword searches, equality evaluations, and `IN` lists	`CASE("RunTime")`

See search limitations for a list of unsupported syntax elements.

Query evaluation

The following section describes how Lumi evaluates queries.

Case sensitivity: Attribute names are case-sensitive. However, attribute values, wildcard matches, and keyword searches are case-insensitive. Use CASE for case-sensitive value searches.

Examples of equivalent searches (case-insensitive):
- linux and Linux
- "runtime" and "RunTime"
- status=success and status=SUCCESS
Examples of different searches (case-sensitive):
- status=200 and STATUS=200
- status=success and status=CASE(success)
Operator precedence: Boolean operators are prioritized by NOT > AND > OR. Implicit AND using the space character has the same precedence as explicit AND. Use parentheses (()) to control the order of operations.
Value comparison: Comparison operators (>, >=, <, <=) compare values numerically when both values are detected as numbers. If either value isn't numeric, Lumi compares them as strings.
- Valid number formats are integers, decimals, and scientific notation. Numbers can include a positive or negative sign. For example, 42, 3.14, 1e10, -5.
- Lumi doesn't detect numbers when the value contains a comma. For example, 1,000 isn't evaluated numerically.
Attribute presence: The operators !=, <, <=, >, >=, and IN only match events where the attribute is present. To return events that don't contain an attribute, use NOT. Examples:
- attributeName!=abc returns events where attributeName is present and isn't abc
- NOT (attributeName=*) returns events where attributeName is missing
- NOT (attributeName=abc) returns events from both previous examples (not abc or missing)
Special characters: Lumi handles special characters as described in the following table.

Characters	Description and usage notes	Example
Whitespace, `=` `~` `>` `<` `(` `)` `,` `!` `#` `\`	Reserved for Lumi. To search for the literal character, precede it with a backslash (`\`) or wrap the search term in double quotes (`"`).	`error \(critical\)` searches for `error (critical)`
`"` `\`	To search for the literal character, escape it with backslash. Also applies when the search term is wrapped in double quotes.	`\"404 not found\"` searches for `"404 not found"`
`\X`	When `X` isn't a reserved character, enclose the search term in double quotes to search for the literal character. Outside of quotes, Lumi silently drops backslash and only searches `X`.	`"CL\OSED"` searches for `CL\OSED`
`\n` `\t` `\r` `\b` `\f`	Escape sequence that matches the corresponding control character.	`"line1\nline2"` searches for `line1` and `line2` with a newline in between
`*`	Always used for wildcard matching. You can't search for a literal asterisk character.	`"abc\*def"` searches for values starting with `abc` and ending with `def`
Unicode characters	You can directly search for non-ASCII characters such as emojis, accented letters, and CJK characters. Don't search using Unicode escape sequences such as `\u0041`.	`喜` searches for `喜`

Query by event indexing timestamp

You can add a Lumi pipeline to capture the ingestion timestamp for each event. For details, see Store event indexing time.

Once your events have the indexing timestamp attribute, you can filter searches by ingestion time range in Unix time format. For example, the following query finds events with host web-01 and index time between 11:14 PM and 11:15 PM on February 3, 2026 UTC:

host=web-01 _indextime>1770220440 _indextime<1770220500

Search limitations

Lumi doesn't currently support the following search syntax elements:

Pipes to chain query operations or transform data, for example a | b
Searching JSON values within an event body
Splunk® Search Processing Language (SPL)

Learn more

See the following topics for more information:

Tour Lumi for how to navigate and use the Lumi UI.
How to search events with Lumi to walk through set of queries for an example web store.
Search events with Splunk to set up the federated search integration and query Lumi events from Splunk.

Supported syntax​

Query evaluation​

Query by event indexing timestamp​

Search limitations​

Learn more​

Supported syntax

Query evaluation

Query by event indexing timestamp

Search limitations

Learn more