How to search for events with Imply Lumi

Imagine that you work for a company that runs a web store that sells to customers and businesses. You want to analyze web traffic to your store to better serve customers and manage inventory. You have a system that collects web logs, and you're using Imply Lumi for efficient data storage.

You can query the logs in Imply Lumi for insights on site traffic, user behavior, inventory management, errors, and performance.

This search tutorial builds on the Quickstart to walk you through a set of example queries for each of these categories. See Imply Lumi query syntax for details on the supported syntax.

The following diagram summarizes the steps you'll take in this tutorial to gain insights from the sample logs. Click any box in the diagram to jump to that step.

Prerequisites

Before you begin this tutorial, complete the Quickstart to populate Imply Lumi with events.

Make sure you're familiar with the Imply Lumi Explore view, including the time range selector. To retrieve the same results from the sample file that are shown in the queries below, set the time range to May 01, 2025, 21:00-22:38.

The events list displays the Time and Content columns by default. Click a column heading and select Add column to the left/right to display additional columns that are relevant to the query.

1. Collect traffic insights

Site traffic data provides you with information on the volume, timing, and sources of site visits. It's useful for marketing, site performance monitoring, and identifying UX and engagement issues.

Quick queries

Run these queries to explore overall traffic volume, behavior, and sources.

Use case	Query
Retrieve successful page loads.	method=GET status=200
Show requests with known referers.	referer=*
Show successful mobile traffic from Android users during the period 8 PM - 10 PM.	(method=GET OR method=POST) status=200 useragent="*Android*" date_hour IN (20,21,22)

Detailed examples

This section contains targeted queries that explore specific traffic flows and their origins.

1. Run the following query to show all successful requests that originated from another page:

   (method=GET OR method=POST) status=200 referer=*

   Example output:

   Time	Method	Referer
   01 May, 22:36:28.000	GET	https://www.instagram.com/
   01 May, 22:36:16.000	POST	https://www.linkedin.com/
   01 May, 22:35:45.000	GET	https://www.amazon.com/
   01 May, 22:33:54.000	GET	https://www.quora.com/
   01 May, 22:31:16.000	GET	https://www.trustpilot.com/

2. Run the following query to show successful transitions from the /shop page to specific product pages:

   referer="/shop" uri="/product/*" status=200

   Example output:

   Time	User	Uri
   01 May, 22:28:37.000	ochambers	/product/sunset-lamp
   01 May, 22:50:02.000	mariewilliams	/product/aurora-pendant
   01 May, 22:38:35.000	janet27	/product/zen-diffuser

2. Analyze user behavior

These queries help you understand how individual users interact with the site. They’re useful for UX research, personalization strategies, and behavioral segmentation.

Quick queries

Run the following queries to examine individual users’ actions and interactions across the site.

Use case	Query
Filter activity by a specific user.	user=aaron94
Show registration page visits.	uri="/register"
Show search activity.	uri_path="/search" method=POST
Return the activity of two specific users.	user IN (aaron94,jasmine23)

Detailed examples

This section contains structured queries to reveal user journeys or combined behavior patterns.

1. Run the following query to show searches performed by two specific users, or any access to the trending page:

   (user IN (brian52,mbooker) AND uri_path="/search") OR uri="/trending"

   Example output:

   Time	User	Uri_path
   01 May, 22:38:18.000	ochambers	/trending
   01 May, 22:20:21.000	brenda47	/trending
   01 May, 21:57:49.000	emily11	/trending
   01 May, 21:50:47.000	seth46	/trending
   01 May, 21:48:56.000	brian52	/search
   01 May, 21:44:09.000	mbooker	/search
   01 May, 21:19:57.000	atkinsoncindy	/trending

2. Run the following query to show specific users of Windows devices who viewed product pages successfully, and navigated from the /shop page:

   user IN (aaron94,janet27,ochambers) uri="/product/*" status=200 referer="/shop" useragent="*Windows*"

   Example output:

   User	Uri	Useragent
   aaron94	/product/zen-diffuser	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
   ochambers	/product/aurora-pendant	Mozilla/5.0 (Windows NT 10.0; Win64; x64)
   aaron94	/product/sunset-lamp	Mozilla/5.0 (Windows NT 10.0; Win64; x64)

3. Track inventory activity

Inventory data reflects how products are browsed, added to carts, and updated. These queries support merchandising, stock control, and operational monitoring.

Quick queries

Run the following queries to monitor product views, cart activity, and inventory updates.

Use case	Query
Show product page views, which can imply interest or demand.	uri_path="/product" method=GET
Show add-to-cart actions.	uri="/cart/add" method=POST
Fetch low stock items.	uri="/admin/inventory-alerts" method=GET
Show when the admin user updated stock via a POST method.	user=admin method=POST uri="/inventory/update"
Show when staff exported stock data.	uri="/admin/export/inventory.csv" method=GET

Detailed examples

This section contains queries that return specific inventory-related activity from the sample data.

1. Run the following query to reveal customer interest in specific products:

   uri_path IN (/product/aurora-pendant,/product/nimbus-dome,/product/haloglow-chandelier) method=GET

   Example output:

   Uri_path	User	Referer
   /product/aurora-pendant	kennethjohnson	https://www.aliexpress.com
   /product/haloglow-chandelier	bernd74	http://www.amazon.co.uk
   /product/nimbus-dome	alice997	https://www.amazon.com

2. Run the following query to return all events where a user added a product to their cart using a POST request:

   uri="/cart/add" method=POST

   Example output:

   Uri	User	Host	Referer
   /cart/add	kennethjohnson	web-01	https://www.aliexpress.com

3. Run the following query to identify real users (not bots) who visited their cart but didn't proceed to checkout:

   uri="/cart/remove" method=POST NOT useragent="*bot*"

   Example output:

   User	Uri_path	Uri_query	Referer
   jseinfeld	/cart/remove	product=sunset-lamp	https://www.amazon.com
   smitheleanor	/cart/remove	product=aurora-pendant	https://www.quora.com

4. View errors and anomalies

These queries help identify failed requests, potential bugs, suspicious behavior, and unauthorized access attempts. They’re useful for security audits and debugging.

Quick queries

Run the following queries to detect failed requests, bots, and potentially unauthorized actions.

Use case	Query
Show failed requests.	status IN (400,404,500)
Show direct traffic.	referer=*direct*
Display known bot activity.	useragent="*MJ12bot*"

Detailed examples

This section contains queries to uncover specific suspicious and failed actions in the sample data.

1. Run the following query to detect unauthorized delete actions:

   NOT user IN (admin,inventory_mgr) uri_path=/admin/inventory/delete/aurora-pendant

   Example output:

   Time	Uri_path	Method	User
   01 May, 23:13:51.000	/admin/inventory/delete/aurora-pendant	DELETE	bernd74

2. Run the following query to identify client-side errors that occurred specifically on product pages:

   uri="/product/*" status IN (400,404)

   Example output:

   Uri	User	Status
   /product/aurora-pendant/reviews	bernd74	400
   /product/nimbus-dome	alice997	404

5. Monitor performance

Performance queries focus on server load, response timing, and infrastructure usage. They’re useful for operations, DevOps teams, and load testing.

Quick queries

Run the following queries to view system activity and identify performance patterns.

Use case	Query
Retrieve logs on a specific Splunk® server.	splunk_server=observe-01
Display traffic for a specific index and host.	index=main host="web-01"
Display large successful responses.	bytes > 5000 status=200
Show requests where the response time was captured.	req_time=*

Detailed examples

This section contains queries to identify system activity patterns.

1. Run the following query to show requests to product pages that occurred after 9 PM and involved large responses (more than 5000 bytes):

   uri="/product/*" bytes>5000 date_hour>=21

   Example output:

   Time	Uri	User	Bytes
   01 May, 22:58:10.000	/product/aurora-pendant/reviews	janet27	8787.0
   01 May, 22:53:47.000	/product/sunset-lamp/reviews	ochambers	6565.0
   01 May, 22:51:22.000	/product/sunset-lamp/reviews	aaron94	7443.0

2. Run the following query to identify requests that returned status 200 (OK) but had a very small response size. This potentially points to minimal or blank page responses or server-side issues returning incomplete data:

   status=200 bytes<1000 method=GET 

   Example output:

   Time	Uri	User	Bytes
   01 May, 23:31:58.000	/featured-products	jaredevans	787.0
   01 May, 23:09:37.000	/checkout	ythomas	935.0
   01 May, 22:54:32.000	/account/wishlist	herrerabriana	300.0
   01 May, 22:50:48.000	/account/addresses	charlenefields	816.0
   01 May, 22:23:16.000	/cart	davisbarry	452.0

Learn more

See the following topics for more information:

• Search for events with Imply Lumi for details on supported search syntax and search limitations.
• Tour Imply Lumi for an introduction to the Imply Lumi UI.
• File upload reference for more details on file upload.
• Event model for information on the components and attributes in Lumi events.