Event model
Imply Lumi is an observability platform to store and query event data, such as log messages, HTTP request data, and system errors.
Before an event arrives in Imply Lumi, forwarding agents or other data processing mechanisms typically transform the data from its raw state. For example, a forwarder may add metadata to the event or extract field values like the timestamp. Before storing an event, Imply Lumi also performs similar event data processing tasks. See Event lifecycle for details.
This topic describes event data as stored in Imply Lumi after all data processing is complete.
Event components
Each event consists of a timestamp, a message, system attributes, and user attributes.
The event timestamp records the exact time an event occurred. For example: Mar 21, 11:54:53.120 AM.
The message consists of the event text. For example, the text of the following HTTP server access log:
11.44.142.49 - - [25/Mar/2025:19:23:38 ] "GET /logout HTTP/1.1" 200 2326 "https://www.forbes.com/" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"
System attributes
Imply Lumi defines and sets the semantics of system attributes. System attributes apply universally across all events and can only be accessed within Imply Lumi. Usually, Imply Lumi extracts system attributes from a system component such as the event collector, a receiver, or an IAM key.
System attributes contain a subset of global attributes, env and team, which you can specify when configuring an IAM key.
Global attributes are associated with the IAM key used to report the event.
You can set global attributes to any string value that is fewer than 32 characters.
The following table lists the system attributes that Imply Lumi may assign to an event:
| Attribute | Type | Description | Nullable | Example |
|---|---|---|---|---|
collector | string | Version of the Imply Lumi event collector that accepted the event. Used for troubleshooting. | No | ec 20250504.1234.0 |
env | string | Environment associated with the event. Defaults to Unknown. | Yes | staging |
eventId | string | Unique identifier for the event. | No | a_bcNdW7-0000-10111 |
file | string | Name of the file from which the event was ingested, if applicable. | Yes | lumina_visitors.csv |
iamKeyId | string | IAM key or user ID used to ingest the event. | No | 9da461cb-xxxx-xxxx-xxxx-158eb31bf048 |
observedAt | timestamp | Timestamp when the Imply event collector observed the event. This may differ from the event's original timestamp due to buffering or when events have been backfilled. | No | Mar 21, 10:09:03.772 AM |
receiver | string | Type of receiver that collected the event. | No | event-collector |
status | enum | Status or severity of the event, as detected or set at ingestion time. Imply Lumi evaluates incoming events for specific attributes, including status, severity, level, syslog.severity, and response. If detected, Imply Lumi maps the value to an event status using HTTP status code categories and syslog severity levels. Supported enum values: debug, info, notice, warning, error, critical, alert, emergency, ok. | Yes | info |
team | string | Team associated with the event. Defaults to Unassigned. | Yes | backend |
User attributes
User attributes provide context to an event, such as its source and source type. User attributes can also come from information parsed from raw events or added by pipelines. You can view and search user attributes in Imply Lumi and other integrated systems.
User attribute values can be defined at various stages in the event lifecycle:
- On a raw event—for example, using HTTP POST requests as shown in Send events with HEC.
- On an upstream agent, such as the Splunk® distribution of the OpenTelemetry (OTel) collector.
- On an IAM key in Imply Lumi, where integration attributes are assigned as user attributes.
- On a pipeline in Imply Lumi, where you can map, add, or remove attributes.
Imply Lumi prioritizes the values for user attributes as follows:
- values set by pipelines
- values set on a raw event or by an upstream agent
- values set by an IAM key.
The following attributes are set based upon the IAM key or user configuration for file upload. Note that you can also use a pipeline to set the value for these attributes.
| Attribute | Type | Description | Integration | Examples |
|---|---|---|---|---|
source | string | Origin of the events sent to Imply Lumi. | HEC, file upload | otel, lumina_visitors.csv |
sourcetype | string | Type of event data. | HEC, file upload | access_combined, httpevent |
index | string | Repository for incoming events. | HEC | main |
indexAllowList | string | Comma-separated list of allowed values for the index field. | HEC | main, demo |
For default values, see the documentation for the corresponding application.
Filter by attributes
You can use system and user attributes to filter search results or view resource usage. For details about searching events, see Search for events with Imply Lumi.
Search system attributes
To filter events by a system attribute, add a search condition and preface the attribute name with #.
You can include multiple system attributes in the search.
For example, search for all events whose status is info:
#status=info
Search user attributes
To filter events by a user attribute, add a search condition with the attribute name.
For example, search for events where the index is main and the source type is not otel:
index=main sourcetype!=otel
View resource usage
You can view resource usage grouped by the environment, team, or index attributes. View the resource usage for these attributes in the Usage sub-page of the Billing section. For more information about billing and usage, see Monitor account usage.
Learn more
See the following topics for more information:
- IAM keys for reference information on IAM keys.
- Send events to Imply Lumi for information on the methods you can use to send events to Imply Lumi.
- Search for events with Imply Lumi for search methods and syntax.