How to search events with Lumi

This tutorial builds on the Quickstart and shows you how to run a set of example queries in Imply Lumi.

The steps assume that you've already:

• Added web logs to Lumi using the file upload feature.
• Viewed and queried events in Lumi.

To complete the steps, you use sample web traffic data from a fictional online store. For details about the dataset and its format, see the tutorial data overview.

The following diagram summarizes the end-to-end process of searching events with Lumi. Click any box in the diagram to jump to that step.

Prerequisites

To complete the tutorial, you need the following:

• An up-to-date version of the sample log file uploaded to Lumi.
  Refer to the Quickstart for instructions.
• Access to Lumi with the Viewer role or higher.
  For information on roles and permissions, see Manage roles.

Make sure you're familiar with the Lumi explore view, including the time range selector. To retrieve similar results to those shown below, set the time range to the past 7 days.

The events list displays the Time and Content columns by default. Click a column heading and select Add column to the left/right to display additional columns that are relevant to each query.

1. Collect traffic insights

Site traffic data provides you with information on the volume, timing, and sources of site visits. It's useful for marketing, site performance monitoring, and identifying UX and engagement issues.

Quick queries

Run these queries to explore overall traffic volume, behavior, and sources.

Use case	Query
Retrieve successful page loads.	method=GET status=200
Show requests with known referers.	referer=*
Show successful mobile traffic from Android users.	(method=GET OR method=POST) status=200 useragent="*Android*"

Detailed examples

This section contains targeted queries that explore specific traffic flows and their origins.

1. Run the following query to show all successful requests that originated from another page:

   (method=GET OR method=POST) status=200 referer=*

   Example output:

   Time	Method	Status	Referer
   01 May, 22:36:28.000	GET	ok	https://www.tiktok.com/
   02 May, 06:36:16.000	GET	ok	https://www.bing.com/
   03 May, 08:35:45.000	GET	ok	https://search.yahoo.com/
   04 May, 03:33:54.000	GET	ok	https://www.ebay.com/
   05 May, 19:31:16.000	GET	ok	https://www.etsy.com/

2. Run the following query to show successful referrer transitions to product pages:

   uri=/product referer=* status=200

   Example output:

   Time	Uri_path	Referer	Status
   01 May, 22:28:37.000	/product/eclipse-wall-sconce	http://duckduckgo.com	ok
   02 May, 06:38:02.000	/product/orion-pendant-light	http://www.aliexpress.com	ok
   03 May, 14:42:35.000	/product/aurora-chandelier	http://www.etsy.com	ok
   04 May, 21:45:35.000	/product/aurora-chandelier	http://twitter.com	ok

2. Analyze user behavior

These queries help you understand how individual users interact with the site. They’re useful for UX research, personalization strategies, and behavioral segmentation.

Quick queries

Run the following queries to examine individual users’ actions and interactions across the site.

Use case	Query
Filter activity by a specific user.	user=sallyosborne
Show registration page visits.	uri=/register
Show search activity.	uri=/search method=POST
Return the activity of two specific users.	user IN (bernd73,michelle00)

Detailed examples

This section contains structured queries to reveal user journeys or combined behavior patterns.

1. Run the following query to show searches performed by specific users, or any access to the trending page:

   (user IN (jaredevans, admin*) AND uri=/search) OR uri = /trending

   Example output:

   Time	User	Uri
   01 May, 22:38:18.000	jaredevans	/search
   01 May, 12:20:21.000	admin728	/trending
   02 May, 08:57:49.000	fosternicole	/trending
   03 May, 10:50:47.000	admin001	/search
   03 May, 21:48:56.000	admin728	/search
   04 May, 01:44:09.000	admin123	/trending
   05 May, 19:19:57.000	admin001	/search

2. Run the following query to show users of Windows devices who viewed product pages successfully, and navigated from the /shop page:

   uri_path="/product/*" status=200 useragent="*Windows*"

   Example output:

   User	Uri	Useragent
   peter8888	/product/eclipse-wall-sconce	Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
   michelle00	/product/orion-pendant-light	Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

3. Track inventory activity

Inventory data reflects how products are browsed, added to carts, and updated. These queries support merchandising, stock control, and operational monitoring.

Quick queries

Run the following queries to monitor product views, cart activity, and inventory updates.

Use case	Query
Show product page views, which can imply interest or demand.	uri=/product method=GET
Show cart actions.	uri=/cart method=POST
Fetch low stock items.	uri_path=/admin/inventory-alerts
Show when a specific user updated stock via a POST method.	uri=/inventory method=POST user=davidbarry
Show when staff exported stock data.	uri_path=/admin-export/*

Detailed examples

This section contains queries that return specific inventory-related activity from the sample data.

1. Run the following query to reveal customer interest in specific products:

   uri_path IN (/product/stellar-floor-lamp,/product/aurora-chandelier,/product/eclipse-wall-sconce) method=GET

   Example output:

   Uri_path	User	Referer
   /product/aurora-chandelier	ethelmcdonald	https://www.facebook.com
   /product/stellar-floor-lamp	michelle00
   /product/stellar-floor-lamp	alexander9122	https://www.facebook.com
   /product/aurora-chandelier	-	https://twitter.com.
   /product/eclipse-wall-sconce	adam9928	https://www.retailmenot.com
   /product/aurora-chandelier	miltonle

2. Run the following query to return all events where a user added a product to their cart using a POST request:

   uri="/cart" method=POST

   Example output:

   Uri	User	Host	Referer
   /cart	marnie9928	web-01	https://www.tiktok.com
   /cart	admin374	web-01	https://www.retailmenot.com
   /cart	alexander9122	web-01	https://www.linkedin.com

3. Run the following query to identify real users (not bots) who searched for products:

   uri_query=* NOT useragent=*bot* 

   Example output:

   User	Uri_path	Uri_query	Referer
   jaredevans	/search	q=smart+bulb	https://www.amazon.com
   horace778	/search	q=smart+bulb	https://www.forbes.com
   annabel883	/search	q=ceiling+light	https://techcrunch.com
   felicity9923	/search	q=chandelier	https://www.youtube.com
   bernd73	/search	q=chandelier	https://www.ebay.com

4. View errors and anomalies

These queries help identify failed requests, potential bugs, suspicious behavior, and unauthorized access attempts. They’re useful for security audits and debugging.

Quick queries

Run the following queries to detect failed requests, bots, and potentially unauthorized actions.

Use case	Query
Show failed requests.	status IN (400,404,500)
Show direct traffic.	referer=*direct*
Display known bot activity.	useragent="*bot*"

Detailed examples

This section contains queries to uncover specific suspicious and failed actions in the sample data.

1. Run the following query to detect unauthorized delete actions:

   user!=admin* uri_path=/admin/inventory/delete*

   Example output:

   Uri_path	Method	User
   /admin/inventory/delete/stellar-floor-lamp	DELETE	bernd73
   /admin/inventory/delete/aurora-pendant	DELETE	marnie9928

2. Run the following query to identify client-side errors that occurred specifically on product pages:

   uri_path="/product/*" status IN (400,404)

   Example output:

   Uri	User	Status
   /product/eclipse-wall-sconce	adam9928	notice
   /product/stellar-floor-lamp	kennethjohnson	notice

5. Monitor performance

Performance queries focus on server load, response timing, and infrastructure usage. They’re useful for operations, DevOps teams, and load testing.

Quick queries

Run the following queries to view system activity and identify performance patterns.

Use case	Query
Retrieve logs on a specific Splunk® server.	splunk_server=observe-01
Display traffic for a specific index and host.	index=main host="web-01"
Display large successful responses.	bytes > 5000 status=200
Show events for a specific IAM key.	#iamKeyId="2594bc4b-ea43-400e-854a-8ae9b4f5a8bb"

Detailed examples

This section contains queries to identify system activity patterns.

1. Run the following query to show requests to product pages that involved large responses (more than 5000 bytes):

   uri_path="/product/*" bytes>5000

   Example output:

   Time	Uri	User	Bytes
   01 May, 22:58:10.000	/product/stellar-floor-lamp	alexander9122	7326
   02 May, 14:53:47.000	/product/nebula-table-lamp	alexander9122	7113
   03 May, 08:51:22.000	/product/aurora-chandelier	willowlim	7189
   04 May, 11:51:22.000	/product/eclipse-wall-sconce	admin374	5175
   05 May, 16:51:22.000	/product/eclipse-wall-sconce	dorothy3321	8065

2. Run the following query to identify requests that returned status 200 (OK) but had a very small response size. This potentially points to minimal or blank page responses or server-side issues returning incomplete data:

   status=200 bytes<1000 method=GET 

   Example output:

   Time	Uri	User	Bytes
   01 May, 23:31:58.000	/cart	lena629	67
   02 May, 06:31:58.000	/categories	adrian155	718
   03 May, 10:31:58.000	/categories	dorothy3321	503
   03 May, 11:31:58.000	/admin	alice997	165
   04 May, 22:31:58.000	/categories	sallyosborne	760

Learn more

See the following topics for more information:

• Search events with Lumi for details on supported search syntax and search limitations.
• Tour Lumi for an introduction to the Lumi UI.
• File upload reference for more details on file upload.