Index user attribute

User attributes in Imply Lumi are metadata fields you use to filter search results. The index is a special user attribute used for Splunk® federated search.

This topic describes how to assign the index user attribute when you send events to Lumi.

Note you can assign other Splunk default fields, such as source and sourcetype, in the same way as index described in this topic.

Assignment from IAM key attribute

The following integrations allow you to set a default value for index as an IAM key attribute:

• Splunk HEC
• S2S over HTTP
• S3 pull

To set default values, you create an IAM key, add the integration, then configure the attributes for the integration. For example:

1. Create an IAM key
2. Add the Splunk HEC integration
3. Set Index in HEC attributes

If you don't specify default values, Lumi assigns the system default value, typically main.

To learn how to create an IAM key and add an integration, see Manage IAM keys.

To learn about IAM key attributes, see IAM key attribute reference: The topic also describes the Lumi behavior when you set the default index for multiple integrations on the same key.

Assignment from other sources

Whether or not an integration stores the default index value, you can assign index from your third-party application that forward events to Lumi, or set it from within Lumi using a pipeline.

Note the priority of user attribute assignment as described in Event model. Values set by pipelines take precedence, followed by values assigned from forwarding agents and IAM key attributes.

Forwarding agents

For integrations that don't take index as an IAM key attribute, assign the metadata field in your forwarding agent or use a pipeline in Lumi. For example, if you send events using an OTel collector, assign index in the attributes processor, such as in this configuration:

processors:
    attributes/add_metadata:
        actions:
            - key: index 
              value: "prod"
              action: insert

Pipelines

You can also use a pipeline to assign the index. Values set by a pipeline override any set by a forwarding agent or assigned on an IAM key. To set index using a pipeline, create the pipeline, set the conditions for which events get processed, then add a processor that assigns the attribute. For example:

• Assign a static value using a value mapper
• Assign it from another attribute using the attribute mapper

Consider other processors for more complex use cases, such as conditional mapping or parsing a value from an event message.

To learn how to work with pipelines, see Manage pipelines and processors.

Assignment from Splunk forwarders

When you don't explicitly assign the index for Lumi, you might still see it as a user attribute on your event when you use a forwarding agent in the Splunk ecosystem.

For example, a Splunk forwarder assigns index in inputs.conf. When you use S2S over TCP (tcpout) or S3 ingest actions, your forwarder assigns this metadata before Lumi receives it. Lumi stores incoming event metadata as user attributes.

For more details about index as it relates to Splunk, see Lumi concepts for Splunk users.