Since releasing Imply Lumi in September 2025 as a decoupled data layer for observability, the Imply R&D team has been hard at work to make it easier and more economical to retain, query, and analyze observability data — without disrupting existing workflows
This blog highlights recently delivered capabilities across ingestion, performance, and Splunk interoperability and previews what;s coming next.
Ingest, retain, and access more observability data
Lumi is designed to store and query observability data at a fraction of the cost of traditional platforms, without forcing teams to choose between retention and performance. You’ll soon be able to configure data deletion rules that automatically remove data based on filters and specific time periods to reduce costs and optimize query performance.
We’ve made a number of significant performance improvements to help you make your datasets queryable as quickly as possible. By optimizing historical data loading with date-based partitioning and a dedicated processing queue, you can now efficiently load and query your historical datasets while keeping real-time events a priority. To help you easily identify and resolve data collection issues, we’ve added a view to identify unparsable events that weren’t able to be collected. We’ll soon be releasing additional improvements that allow you to more easily manage and monitor data loading.
Our event collection systems have optimized autoscaling and reduced memory and CPU utilization, resulting in higher ingestion scalability, reduced storage size, and lower query latency.
Predefined pipelines enable you to process common data types. Pipelines apply standard parsing and enrichment rules so your data is ready to use as soon as it’s ingested. We’re continuously expanding our out-of-the-box dataset coverage. Support for VPC flow logs and Windows event logs is available now, with support for CrowdStrike Falcon Data Replicator, Wiz security and audit logs, and Palo Alto Networks logs coming soon.
Operate with your existing workflows
Imply Lumi is built to extend Splunk, not replace it.
You can leverage a wide range of SPL commands to query Lumi events from Splunk, including the core commands Splunk users rely on daily. Use stats to aggregate data, timechart and chart to visualize trends, and eval to create calculated fields. Filter results with search and where, extract patterns with rex, parse JSON with spath, and identify common values with top and rare. These commands give you the analytical power to explore Lumi event data directly from your familiar Splunk interface.
You can easily update Splunk dashboards to point at Lumi events. This Splunk dashboard shows site activity from Apache web logs, querying using Lumi federated search:
We’ve been hard at work expanding our support for Splunk Knowledge Objects. Data models are now supported, allowing you to create a unified view of your data across both Lumi and Splunk. Configure the data model integration in Lumi to seamlessly analyze Lumi events alongside your Splunk data without changing your existing queries or workflows. For example, use the Web data model to analyze Lumi web server logs alongside your Splunk security events.
We’ll add support for lookups in an upcoming release, allowing you to enrich your Lumi events with contextual data from reference tables like user details, asset information, and threat intelligence. This makes your data more actionable without requiring reingestion or restructuring.
Lumi in your own cloud environment
Lumi Enterprise is now available.
With Lumi Enterprise, you can deploy Lumi in your own AWS environment while retaining the benefits of the managed SaaS experience. Support for additional cloud providers is coming soon.
This deployment option enables:
- Greater control over data residency and compliance
- Deployment in regulated or restricted environments
- Seamless alignment with existing cloud infrastructure
What’s Next
We’re excited to continue to expand Imply Lumi’s performance, manageability, and ecosystem integrations as we build on its decoupled foundation for observability and security.
Check the docs for the latest updates as new capabilities and integrations become available.