Search for events with Imply Lumi
You can search for specific events in Imply Lumi. Click Explore in the navigation menu to get started.
The explore view lists all events in Imply Lumi that occurred during a specified time period. See Tour Imply Lumi for an overview of the elements on the page.
The events bar chart shows the number of events created during the selected time period. Click a bar and select Zoom in to filter on those events.
To search for events, you can use the search bar, the attributes panel, or a combination of both.
Prerequisites
To search for events, you need an Imply Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.
Use the search bar
To search for events using the search bar:
-
Enter your query into the search bar, or click to display a list of user attributes. See Imply Lumi query syntax for a list of supported operators and examples.
- If you select or type the name of a user attribute followed by
=, Imply Lumi displays a list of unique event data for that attribute. Select a single entry to display matching events. - To search by a system attribute, type a hash (
#) followed by the attribute name.
- If you select or type the name of a user attribute followed by
-
Use the time range selector next to the search bar to select a time range for the search. The default time range is the past 15 minutes. You can select a predefined time range or click Fixed range to set your own start and end date/time. Imply Lumi search includes the earliest time and excludes the latest time.
-
Press Enter or click the search icon to execute the search.
-
Click x inside the search bar to clear the search.
Example search
The following example searches for specific data in user attribute log.iostream and system attribute team for the past minute:
Click an event in the events list to see its full details:
Use the attributes panel
You can use the attributes panel to select and deselect data in user attributes.
Imply Lumi updates the search bar as you select and deselect data. Conversely, Imply Lumi updates attributes panel selections as you enter search criteria into the search bar.
The list of matching events updates if you make changes to the time range selector.
You can start a search using the attributes panel, and then modify it directly in the search bar according to your requirements.
The following example displays events that don't contain the deselected host in the past minute:
If the attribute selection uses unsupported syntax, Imply Lumi displays a message, such as "Syntax [>=] used in search is not yet supported."
Imply Lumi query syntax
Imply Lumi supports the following search operators and syntax:
| Operator/Syntax | Use | Example |
|---|---|---|
= | Equal to | index=main |
!= | Not equal to | method!=POST |
> | Greater than | bytes>5000 |
>= | Greater than or equal to | date_hour>=13 |
< | Less than | bytes<5000 |
<= | Less than or equal to | date_mday<=4 |
AND | Match both conditions | method=GET AND status=404 |
OR | Match either or both conditions | splunk_server=observe-01 OR host=web-01 |
NOT | Exclude results that match a condition | NOT uri="/register" |
IN | Match if a field's value is in a list | user IN (aaron94,jasmine23) |
NOT IN | Match if a field's value is not in a list | NOT status IN (400,401,403) |
(a AND b) OR c | Control the order of operations of Boolean expressions | (uri="/shop" AND uri_path="/shop") OR user=bernd74 |
attributeName=* | Match when an attribute is not null | referer=* |
NOT attributeName=* | Match when an attribute is null or not set | NOT useragent=* |
"" | Search for an exact phrase | useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)" |
* | Wildcard matching | useragent="*Windows NT*" |
Note the following:
- All queries are case-sensitive.
- You can type a space to match search conditions instead of using the
ANDoperator, for examplemethod=GET status=404. - To search for a term containing special characters, enclose it in double quotation marks (
") or escape it with a backslash (\). For example, to search for the stringerror (critical), use the search term"error (critical)"orerror \(critical\). - To search for a double quotation mark itself, escape it with a backslash (
\). For example, to search for the string"404 not found", use the search term\"404 not found\".
See search limitations for a list of unsupported syntax elements.
Search limitations
Imply Lumi doesn't currently support the following search syntax elements:
- Pipes to chain query operations or transform data, for example
a | b - Approximate equals, for example
attributeName~=searchterm - Searching JSON values within an event body
- Splunk® Search Processing Language (SPL)