Using the search assistant

Using the search assistant

Splunk's search language is extensive and includes many search commands, arguments, and functions. You might have a hard time forming a search because you are not familiar with all the commands and you don't know what information has been extracted from your data. But, searching in Splunk is interactive and free-form. You can start to investigate what is in your data just by typing keywords and phrases into the search bar and hitting Enter.

When you're building a search, you don't need to know which search commands and arguments you want to use before forming a search because the search assistant will suggest them for you. Search assistant works like typeahead to present contextual matches and completions for each keyword as you type it into the search bar. It gives you these matches based on what is in your data, updating the completions as you type in more characters and terms.

Using the search assistant

The search assistant is a Python endpoint called by the search bar that returns html to display in a panel that slides down from the search bar. The search assistant gets its description and syntax information from searchbnf.conf, which defines all the Splunk search commands and their syntax. But, it also uses fields.conf to suggest fields for autocomplete and savedsearches.conf to inform users when their search is similar to an existing saved search.

Changing search assistant settings

You can control the behavior of the search assistant with UI settings in the SearchBar module. These settings define whether to open the search assistant by default (autoOpenAssistant), to use typeahead (useTypeahead), to show command help (showCommandHelp), to show search history (showCommandHistory), and to show field information (showFieldInfo). For more information about each of these modules, refer to the " View module reference".

• Was this topic useful?
• Post a comment