Returns typeahead information for a specified prefix. The maximum number of results returned is based on value you specify for the
count argument. The
typeahead command can be targeted to an index and restricted by time.
| typeahead prefix=<string> count=<int> [max_time=<int>] [<index=<string>] [<starttimeu=<int>] [<endtimeu=<int>] [collapse=<bool>]
- Syntax: prefix=<string>
- Description: The full search string to return
- Syntax: count=<int>
- Description: The maximum number of results to return.
- Syntax: index=<string>
- Description: Search the specified index instead of the default index.
- Syntax: max_time=<int>
- Description: The maximum time in seconds that the
typeaheadcan run. If
max_time=0, there is no limit.
- Syntax: starttimeu=<int>
- Description: Set the start time to N seconds, measured in UNIX time.
- Default: 0
- Syntax: endtimeu=<int>
- Description: Set the end time to N seconds, measured in UNIX time.
- Default: now
- Syntax: collapse=<bool>
- Description: Specify whether to collapse a term that is a prefix of another term when the event count is the same.
- Default: true
Typeahead and sourcetype renaming
After renaming the
sourcetype in the
props.conf file, it takes about 5 minutes (the exact time might slightly depend on the performance of the server) to clear up the cache data. A
typeahead search that is run while the cache is being cleared returns the cached source type data. This is expected behavior.
To remove the cached data, in a terminal window run the following command:
rm $SPLUNK_HOME/var/run/splunk/typeahead/*, then re-run the typeahead search.
When you re-run the
typeahead search, you should see the renamed source types.
For more information, see Rename source types in the Getting Data In manual.
typeahead command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Return typeahead information for sources in the "_internal" index.
| typeahead prefix=source count=10 index=_internal
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the typeahead command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.3, 7.0.2, 7.0.0