From Cribl Stream to Imply Lumi in minutes

After a few energizing days at CriblCon 2025, one message stood out everywhere I looked: teams don’t want to do less with their data — they want to do more.

Cribl showed how to unlock that freedom at the pipeline. Imply Lumi extends it into the query layer.

This follow-on post turns that vision into something tangible — how to go from Cribl Stream to Imply Lumi in minutes.

Why Cribl + Imply Lumi?

Legacy observability platforms force tough trade-offs between cost, retention, and performance — leading to dropped data and delayed investigations. Practitioners know this pain: data grows, budgets don’t, and teams are forced to choose what to keep and what to lose.

Cribl Stream gives you control at the pipeline — filtering, enriching, and compressing data before it leaves.

Imply Lumi gives you power at the query — storing everything with full fidelity and delivering lightning-fast search without rehydration.

Lumi is designed as a drop-in data layer: it works with your existing tools, preserves your dashboards and queries, and doesn’t require retraining or pipeline rewrites. Together, Cribl and Lumi eliminate the compromises that slow teams down.

Step 1: Add a source in Cribl

In the Cribl UI, add a source such as syslog, HTTP, or the built-in datagen.

You can use data you already forward to Splunk, Elastic, or another observability tool—no new agent required.

Refer to the Cribl docs for details.

Step 2: Build a pipeline

Next, create a pipeline. This is where Cribl shines:

• Mask sensitive fields before they’re sent downstream.
  
• Parse raw logs into structured key/value pairs.
  
• Evaluate expressions to compute new fields on the fly.
  
• Drop noisy events you don’t need.

Use Data Preview to validate transformations and Pipeline Diagnostics to measure reduction before data leaves the pipeline.

The Cribl docs walk you through the process.

Step 3: Send data to Lumi

Conceptually, instead of routing data to /dev/null as shown in Cribl’s tutorials, simply route it into Lumi. Several patterns are supported:

• Direct via HEC (HTTP Event Collector): send events to Lumi’s ingestion endpoint. See the Cribl docs for setup guidance.
• Indirect via S3: stream data into S3 with Cribl, and let Lumi ingest it natively.

Because Lumi supports schemaless ingestion, it can handle JSON, nested structures, and enriched events without predefined fields.  This makes onboarding fast and future-proof, preserving evolving formats without brittle pipelines or dropped fields.

Step 4: Store data in Lumi

Once Lumi ingests data, it automatically indexes it with full fidelity. Unlike legacy stacks that rely on sampling or cold tiers, Lumi is designed to:

• Store all data without compromising fidelity.
  
• Preserve sourcetypes, metadata, and dashboards.
  
• Integrate seamlessly with your existing stack (Splunk, Grafana, and more) with no rip-and-replace.

The result: more data available, instantly, for less cost and complexity.

Step 5: Query with speed and flexibility

With Lumi, you keep the workflows you already know—while eliminating the trade-offs of limited retention or sluggish cold searches.

When data is in Lumi, it’s instantly searchable — across both recent and historical logs.
There’s no rehydration or warm-up delay. You can:

• Run fast, interactive queries directly in Lumi’s UI
  
• Query Lumi from Splunk through federated search, keeping dashboards and alerts running exactly as before

You keep the workflows you already know — while eliminating the trade-offs of limited retention or sluggish cold searches.

Why it matters

Cribl Stream helps you control how data flows.  Lumi helps you control how data is stored and searched.

Together, they deliver a modern observability architecture built for control, performance, and efficiency:

• Route and retain what matters most
  
• Search quickly and interactively across all retained data
  
• Integrate seamlessly with your existing stack
  
• Reduce costs without disrupting workflows

Lumi isn’t just a faster backend — it’s part of a next-generation architecture that decouples storage, indexing, and query from the observability tools above. That means greater flexibility, less lock-in, and a solid foundation for what comes next.

The Big Picture

Walking out of CriblCon, one thing was clear: teams are done making trade-offs.  Cribl gives you freedom at the pipeline. Lumi brings speed and scale to the query.

Together, they form the architecture observability has been waiting for—open, efficient, and built to grow with you.See Lumi in action and experience the difference for yourself.