Event lifecycle

Imply Lumi collects, processes, and stores events. A raw event logged by an application or system component can undergo several transformations before it reaches Imply Lumi. For example, a Splunk® heavy forwarder can parse the event, modify its fields, and add metadata before forwarding the event to another destination.

Imply Lumi collects the event through a receiver. The receiver parses and enriches the event with system and user attributes. You can specify global attributes, a subset of system attributes, and user attributes on the IAM key used to authenticate the connection. For more information on the attributes that Imply Lumi may assign to the event, see Event model.

info

Any attributes set on the event by an upstream agent override any user attributes set on the IAM key.

The general lifecycle of an event in Imply Lumi is as follows:

1. An application generates an event.
2. An upstream agent forwards the event to Imply Lumi. For options to send events, see Send events.
3. An Imply Lumi receiver collects the event. The event header includes an IAM key token used to authenticate the connection. The token may contain global and user attributes. The receiver uses this metadata to enrich the event.
4. Imply Lumi retains the enriched event.
5. Once retained, the event becomes immediately searchable.

The following diagram illustrates this lifecycle:

Example

The following example shows how an event sent from Splunk to Imply Lumi using a Splunk ingest action for routing to S3 is transformed along the way.

The following is an example of a raw event:

11.44.142.49 - - [25/Mar/2025:19:23:38 ] "GET /logout HTTP/1.1" 200 2326 "https://www.forbes.com/" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"

A Splunk event collector receives the raw event and parses it into key-value pairs. The event collector enriches the event with metadata, including the following:

{
  "host":"lumina-web-1",
  "index":"lumina-visitors",
  "source":"lumina_visitors.log",
  "sourcetype":"access_combined"
}

Click to view the event in Splunk

{
  "_raw":"11.44.142.49 - - [25/Mar/2025:19:23:38 ] \"GET /logout HTTP/1.1\" 200 2326 \"https://www.forbes.com/\" \"Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)\"",
  "_time":"2025-03-25T19:23:38.000-0500",
  "bytes":"2326",
  "clientip":"11.44.142.49",
  "date_hour":"19",
  "date_mday":"25",
  "date_minute":"23",
  "date_month":"march",
  "date_second":"38",
  "date_wday":"tuesday",
  "date_year":"2025",
  "date_zone":"local",
  "file":"logout",
  "host":"lumina-web-1",
  "ident":"-",
  "index":"lumina-visitors",
  "linecount":"1",
  "method":"GET",
  "punct":"..._-_-_[//:::_]_\"_/_/.\"___\"://../\"_\"/._(;_/.;_+:/",
  "referer":"https://www.forbes.com/",
  "referer_domain":"https://www.forbes.com",
  "req_time":"25/Mar/2025:19:23:38",
  "source":"lumina_visitors.log",
  "sourcetype":"access_combined",
  "splunk_server":"idx-i-123456789b10bdb4a.luminalogic.splunkcloud.com",
  "status":"200",
  "timeendpos":"39",
  "timestartpos":"18",
  "uri":"/logout",
  "uri_path":"/logout",
  "user":"-",
  "useragent":"Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)",
  "version":"HTTP/1.1"
}

A Splunk ingest action routes the event to Imply Lumi using a ruleset.

An Imply Lumi receiver collects the event. The event header includes an IAM key token used to authenticate the connection. The token contains the following global attributes:

env: lumina logic dev
team: web ops

Imply Lumi uses these global attributes along with the system attributes—eventId, receiver, observedAt, and iamKeyId—to enrich the event.

Imply Lumi retrieves the following attributes assigned by Splunk and applies them to the event as user attributes:

host: lumina-web-1
index: lumina-visitors
sourcetype: access_combined
source: lumina_visitors.log

As a result, the enriched event in Imply Lumi consists of a combination of attributes originating from both Imply Lumi and Splunk.

Click to view the event in Imply Lumi

Timestamp:

Mar 25, 07:23:38.000 PM

Message:

11.44.142.49 - - [25/Mar/2025:19:23:38 ] "GET /logout HTTP/1.1" 200 2326 "https://www.forbes.com/" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"

System attributes:

eventId: e_uB2ts8-0614-0
observedAt: Apr 04, 03:47:51.936 PM
receiver: splunk.s3
iamKeyId: c6d5e32b-xxxx-xxxx-xxxx-37d5bed15cae
env: lumina logic dev
team: web ops

User attributes:

host: lumina-web-1
index: lumina-visitors
sourcetype: access_combined
source: lumina_visitors.log

Learn more

See the following topics for more information:

• Glossary for definitions of Imply Lumi terms.
• IAM keys in Lumi for reference information on IAM keys.
• Event model for the event model for events stored in Imply Lumi.