Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Using the search assistant

Splunk's search language is extensive and includes many search commands, arguments, and functions. You might have a hard time forming a search because you are not familiar with all the commands and you don't know what information has been extracted from your data. But, searching in Splunk is interactive and free-form. You can start to investigate what is in your data just by typing keywords and phrases into the search bar and hitting Enter.

When you're building a search, you don't need to know which search commands and arguments you want to use before forming a search because the search assistant will suggest them for you. Search assistant works like typeahead to present contextual matches and completions for each keyword as you type it into the search bar. It gives you these matches based on what is in your data, updating the completions as you type in more characters and terms.

Using the search assistant

The search assistant is a Python endpoint called by the search bar that returns html to display in a panel that slides down from the search bar. The search assistant gets its description and syntax information from searchbnf.conf, which defines all the Splunk search commands and their syntax. But, it also uses fields.conf to suggest fields for autocomplete and savedsearches.conf to inform users when their search is similar to an existing saved search.

Changing search assistant settings

You can control the behavior of the search assistant with UI settings in the SearchBar module. These settings define whether to open the search assistant by default (autoOpenAssistant), to use typeahead (useTypeahead), to show command help (showCommandHelp), to show search history (showCommandHistory), and to show field information (showFieldInfo). For more information about each of these modules, refer to the " View module reference".

PREVIOUS
Best practices for searching
  NEXT
About the Search Job Inspector

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters