Index user attribute reference

AI summary

Explains how to assign the index user attribute in Imply Lumi for Splunk® federated search. Covers assignment methods including IAM key attributes, forwarding agents, and Lumi pipelines. Details priority order when multiple assignment methods apply.

About AI summaries.

User attributes in Imply Lumi are metadata fields you use to filter search results. The index is a special user attribute used for Splunk® federated search. This topic describes ways you can assign index to Lumi events.

Note you can assign other Splunk default fields, such as source and sourcetype, in the same way as described in this topic.

IAM key attribute

For Splunk HEC and S3 pull, the IAM key attribute Index stores a default value to assign to index. The default applies when you don't otherwise assign it from a forwarding agent or pipeline.

To use this option, create an IAM key, add the integration, then configure the attributes for the integration. For example:

1. Create an IAM key.
2. Add the Splunk HEC integration.
3. Set Index in HEC attributes.

Forwarding agents

You can assign index as a metadata field using your forwarding agent. This overrides any value set as an IAM key attribute.

For example, if you send events using an OTel collector, assign index in the attributes processor, such as in this configuration:

processors:
    attributes/add_metadata:
        actions:
            - key: index 
              value: "prod"
              action: insert

Splunk forwarders

When you don't explicitly assign the index for Lumi, you might still see it as a user attribute on your event when you use a forwarding agent in the Splunk ecosystem.

For example, a Splunk forwarder assigns index in inputs.conf. When you use S2S over TCP (tcpout) or S3 ingest actions, your forwarder assigns this metadata before Lumi receives it. Lumi stores incoming event metadata as user attributes.

Pipelines

You can also use a pipeline to assign the index. Values set by a pipeline override any set by a forwarding agent or assigned on an IAM key. To set index using a pipeline, create the pipeline, set the conditions for which events get processed, then add a processor that assigns the attribute. For example:

• Assign a static value using a value mapper.
• Assign it from another attribute using the attribute mapper.

Learn more

For more information, see the following topics:

• Event model to learn about how Lumi prioritizes user attribute assignment.
• IAM keys to learn about IAM key attributes and how attributes apply when you reuse an IAM key.
• Manage IAM keys to learn how to create an IAM key and add integrations.
• Lumi concepts for Splunk users for more details about the index as it relates to Splunk.
• Manage pipelines and processors to learn how to work with pipelines.