Skip to main content

Search for events with Imply Lumi

You can search for specific events in Imply Lumi. Click Explore in the navigation menu to get started.

The explore view lists all events in Imply Lumi that occurred during a specified time period. See Tour Imply Lumi for an overview of the elements on the page.

Explore main

The events bar chart shows the number of events created during the selected time period. Click a bar and select Zoom in to filter on those events.

To search for events, you can use the search bar, the attributes panel, or a combination of both.

Prerequisites

To search for events, you need an Imply Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.

To search for events using the search bar:

  1. Enter your query into the search bar, or click to display a list of user attributes.

    • If you select or type the name of a user attribute followed by =, Imply Lumi displays a list of unique event data for that attribute. Select a single entry to display matching events.
    • To search by a system attribute, type a hash (#) followed by the attribute name.

  2. Press Enter or click the search icon to execute the search.

  3. Click x inside the search bar to clear the search.

The following example searches for specific data in user attribute log.iostream and system attribute team:

Example search

Imply Lumi query syntax

Imply Lumi supports the following search syntax:

  • Type a space to connect search criteria with AND or use the AND operator.
  • OR, NOT, IN, NOT IN.
  • Parenthesized groups, for example (a AND b) OR c
  • Phrases, for example "windows nt 10.0"
  • Use = as the equal-to operator.
  • Use != as the not-equal-to operator.
  • If a term contains special characters, enclose it in double quotation marks (") or escape it with a backslash (\).
  • To search for a double quotation mark itself, escape it with a backslash (\).
  • attributeName=* finds events where the attribute is not null.
  • NOT attributeName=* finds events where the attribute is null or not set.
  • All queries are case-insensitive.

See search limitations for a list of unsupported syntax elements.

Click on an event in the list to see its full details:

Event details

Select a time range

Use the time range selector list next to the search bar to select a time range for the search. By default, Imply Lumi searches for events created during the past 15 minutes.

You can select a predefined time range or click Fixed range to set your own start and end date/time.

Use the attributes panel

You can use the attributes panel to select and deselect data in user attributes.

Imply Lumi updates the search bar as you select and deselect data. Conversely, Imply Lumi updates attributes panel selections as you enter search criteria into the search bar.

You can start a search using the attributes panel, and then modify it directly in the search bar according to your requirements.

The following example displays events that don't contain the deselected host:

De-selected attribute search

info

If the attribute selection uses unsupported syntax, Imply Lumi displays a message, such as "Syntax [>=] used in search is not yet supported."

Search limitations

Imply Lumi doesn't currently support the following search syntax elements:

  • >, >=, <, and <=
  • Wildcard matching, for example team=partialname*
  • Pipes, for example a | b
  • Approximate equals, for example term~=
  • Searching JSON values within an event body
  • Splunk® Search Processing Language (SPL)