Event model
Imply Lumi is an observability platform to store and query event data, such as log messages, HTTP request data, and system errors. Before arriving in Imply Lumi, a raw event, an unmodified event in its original state, undergoes transformations during the process. This can include any number of changes, such as the addition of metadata or field extraction.
This topic describes the event model for events stored in Imply Lumi.
Event components
Each event consists of the following components:
Timestamp: The exact time an event occurred.
For example: Mar 21, 11:54:53.120 AM
Message: The text of an event. For example, a log message like the following:
11.44.142.49 - - [25/Mar/2025:19:23:38 ] "GET /logout HTTP/1.1" 200 2326 "https://www.forbes.com/" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"
The event also contains metadata stored as system attributes and user attributes.
System attributes
Imply Lumi defines and sets the semantics of system attributes. System attributes apply universally across all events and can only be accessed within Imply Lumi. Usually, Imply Lumi extracts system attributes from a system component such as the event collector, a receiver, or an IAM key.
System attributes contain a subset of global attributes, env and team, which you can specify when configuring an IAM key.
Global attributes are associated with the IAM key used to report the event.
You can set global attributes to any string value that is fewer than 32 characters.
The following table lists the system attributes that Imply Lumi may assign to an event:
| Attribute | Type | Description | Nullable | Example |
|---|---|---|---|---|
eventId | string | Unique identifier for the event. | No | a_bcNdW7-0000-10111 |
observedAt | timestamp | Timestamp when the Imply event collector observed the event. This may differ from the event's original timestamp due to buffering or when events have been backfilled. | No | Mar 21, 10:09:03.772 AM |
receiver | string | Type of receiver that collected the event. | No | event-collector |
iamKeyId | string | IAM key or user ID used to ingest the event. | No | 9da461cb-xxxx-xxxx-xxxx-158eb31bf048 |
env | string | Environment associated with the event. You can set this attribute on the IAM key. Unset by default. | Yes | staging |
team | string | Team associated with the event. You can set this attribute on the IAM key. Unset by default. | Yes | backend |
status | enum | Status or severity of the event, as detected or set at ingestion time. Imply Lumi evaluates incoming events for specific attributes, including status, severity, level, syslog.severity, and response. If detected, Imply Lumi maps the value to an event status using HTTP status code categories and syslog severity levels. Supported enum values: debug, info, notice, warning, error, critical, alert, emergency, ok. | Yes | info |
file | string | Name of the file from which the event was ingested, if applicable. | Yes | lumina_visitors.csv |
Imply Lumi provides a monthly breakdown of usage, grouped by an attribute such as key, team, environment, or index. You can view the resource usage for these attributes in the Usage sub-page of the Billing section.
To search events and filter them by system attributes, preface the attribute name with #. For example:
#status=info
User attributes
User attributes provide context to an event, such as its source and source type. User attributes can also come from information parsed from raw events or added by pipelines. You can view and search user attributes in Imply Lumi and other integrated systems.
User attribute values can be defined at various stages:
- On a raw event—for example, using HTTP POST requests as shown in Send events with HEC.
- On an upstream agent, such as the Splunk® distribution of the OpenTelemetry (OTel) collector.
- On a pipeline in Imply Lumi, where you can map, add, or remove attributes.
- On an IAM key in Imply Lumi, where integration attributes are assigned as user attributes.
Note that user attributes derived from raw events and upstream agents take precedence over any attributes you set on IAM keys in Imply Lumi.
The following table lists the user attributes that Imply Lumi can assign to an event based on the integration that sent the event:
| Attribute | Type | Description | Integration | Examples |
|---|---|---|---|---|
source | string | Origin of the events sent to Imply Lumi. | HEC, file upload | otel, lumina_visitors.csv |
sourcetype | string | Type of event data. | HEC, file upload | access_combined, httpevent |
index | string | Repository for incoming events. | HEC | main |
indexAllowList | string | Comma-separated list of allowed values for the index field. | HEC | main, demo |
For default values, see the documentation for the corresponding application.
To search events and filter them by user attributes, use equality filters on the attribute names.
For example, the following query returns events where the index is main and the source type is not otel:
index=main sourcetype!=otel
Learn more
See the following topics for more information:
- IAM keys for reference information on IAM keys.
- Send events for sending events to Imply Lumi.
- Search events for querying events in Imply Lumi.