Skip to main content

Set up federated search

You can issue queries on Imply Lumi events in Splunk® software. When querying Imply Lumi in Splunk, you use the Splunk query syntax, the Splunk Search Processing Language (SPL). See Search for events with Splunk for the SPL commands supported for Imply Lumi events.

This topic provides details on configuring federated search of Imply Lumi events within Splunk.

Prerequisites

To set up federated search, you need the following:

  • An Imply Lumi user with the Viewer role or higher. For information on roles and permissions, see Manage roles.
  • An Imply Lumi IAM key. See Create an IAM key for details.

To search Imply Lumi events in Splunk, you need an IAM key to authenticate Imply Lumi as a federated provider.

You don't use any of the IAM key attributes when setting up federated search.

If you assigned attributes on the IAM key before sending events, Imply Lumi enriches the events with those attributes. You can search user attributes from Splunk, but you can only access system attributes within Imply Lumi.

Add a federated provider

In Splunk, add Imply Lumi as a federated provider.

Go to Settings ❯ Federation ❯ Add federated provider.

Enter the following fields to integrate with Imply Lumi:

  • Provider mode: Standard
  • Provider name: Name that you'll reference in the federated index
  • Remote host: Host address provided by Imply Lumi
  • Service account username: IAM key ID
  • Service account password: IAM key token

Complete all other fields based on your specific setup and requirements. When you're finished, click Save.

Create a federated index

Create a federated index in Splunk that reads from the Imply Lumi federated provider.

Go to Settings ❯ Federation ❯ Add federated index.

Complete the following fields:

  • Federated index name: Descriptive name for the federated index. You use the name of the federated index when searching Imply Lumi within Splunk.
  • Federated provider: Name of the Imply Lumi federated provider created in Splunk.
  • Remote dataset: Name of the Imply Lumi index to search. If you have multiple indexes in Imply Lumi that you want to search, create a federated index for each one.

Your index name in Imply Lumi and federated index name in Splunk may be different. The name of the Splunk federated index points to a specific Imply Lumi index. You define the specific Imply Lumi index in the Remote dataset field.

Example

Consider a Splunk environment in which you have a main index storing your logs. You want to start analyzing events from Imply Lumi alongside these logs. You send events to Imply Lumi into the default index that's also called main.

To search Imply Lumi in Splunk, you complete the following steps:

  • Create a federated provider for Imply Lumi called lumi.
  • Create a federated index called lumi_main.
  • Query Imply Lumi from Splunk using the federated label and index name, federated:lumi_main.

The following diagram illustrates this scenario:

federated search example

Search for events

Once you configure the federated provider and federated index, you can query Imply Lumi events in Splunk.

To search for Imply Lumi events:

  1. Open the Search & Reporting app in Splunk.

  2. Enter your query into the search bar, using the following syntax to specify the federated index:

    index=federated:FEDERATED_INDEX_NAME

    For example:

    index=federated:lumi_main host=web-01

  3. Use the time range selector next to the search bar to select a time range for the search. The default time range is the past 15 minutes. You can select a preset time range or click Date range to set your own start and end date/time. Splunk search excludes the earliest and latest times.

  4. Press Enter or click the search icon to execute the search.

For federated search examples using supported SPL commands, see Search Imply Lumi events with Splunk.

Learn more

See the following topics for more information: