Skip to main content

Set up federated search

You can issue queries on Imply Lumi events in Splunk® software. When querying Imply Lumi in Splunk, you use the Splunk query syntax, the Splunk Search Processing Language (SPL). See Query syntax for the SPL commands supported for Imply Lumi events.

This topic provides details on configuring federated search of Imply Lumi events within Splunk.

Prerequisites

To set up federated search, you need the following:

  • An Imply Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.
  • An Imply Lumi IAM key. See Create an IAM key for details.

To search Imply Lumi events in Splunk, you need an IAM key to authenticate Imply Lumi as a federated provider.

You don't use any of the IAM key attributes when setting up federated search.

If you assigned attributes on the IAM key before sending events, Imply Lumi enriches the events with those attributes. You can search user attributes from Splunk, but you can only access system attributes within Imply Lumi.

Add a federated provider

In Splunk, add Imply Lumi as a federated provider.

Go to Settings ❯ Federation ❯ Add federated provider.

Enter the following fields to integrate with Imply Lumi:

  • Provider mode: Standard
  • Provider name: Name that you'll reference in the federated index
  • Remote host: Host address provided by Imply Lumi
  • Service account username: IAM key ID
  • Service account password: IAM key token

Complete all other fields based on your specific setup and requirements. When you're finished, click Save.

Create a federated index

Create a federated index in Splunk that reads from the Imply Lumi federated provider.

Go to Settings ❯ Federation ❯ Add federated index.

Complete the following fields:

  • Federated index name: Descriptive name for the federated index. You use the name of the federated index when searching Imply Lumi within Splunk.
  • Federated provider: Name of the Imply Lumi federated provider created in Splunk.
  • Remote dataset: Name of the Imply Lumi index to search. If you have multiple indexes in Imply Lumi that you want to search, create a federated index for each one.

Your index name in Imply Lumi and federated index name in Splunk may be different. The name of the Splunk federated index points to a specific Imply Lumi index. You define the specific Imply Lumi index in the Remote dataset field.

Example

Consider a Splunk environment in which you have a main index storing your logs. You want to start analyzing events from Imply Lumi alongside these logs. You send events to Imply Lumi into the default index that's also called main.

To search Imply Lumi in Splunk, you complete the following steps:

  • You create a federated provider for Imply Lumi called lumi.
  • You create a federated index called lumi_main.
  • You query Imply Lumi from Splunk using the federated label and index name, federated:lumi_main.

The following diagram illustrates this scenario:

federated search example

Query syntax

Once you configure the federated provider and federated index, you can query Imply Lumi in Splunk.

Use SPL to query Imply Lumi through federated search in Splunk. The following SPL commands are supported for searching Imply Lumi events:

  • search
  • head
  • tail
  • reverse

To search Imply Lumi in Splunk, include the name of the federated index in your search:
index=federated:FEDERATED_INDEX_NAME

Example Splunk query:

index=federated:lumi_index auth_user=user1

Learn more

See the following topics for more information: