About the search assistant
Splunk's search language is extensive and includes many search commands, arguments, and functions. You might have a hard time forming a search because you are not familiar with all the commands and you don't know what information has been extracted from your data.
Use search assistant to see your data as you build a search
When you're building a search, you don't need to know which search commands and arguments you want to use before forming a search because the search assistant will suggest them for you.
Search assistant shows you typeahead, or contextual matches and completions for each keyword as you type it into the search bar. These contextual matches are based on what's in your data. The entries under matching terms update as you continue to type because the possible completions for your term change as well.
Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. If a term or phrase doesn't exist in your data, you won't see it listed in search assistant.
Change settings for the search assistant
The search assistant is a Python endpoint called by the search bar that returns html to display in a panel that slides down from the search bar. The search assistant gets its description and syntax information from
searchbnf.conf, which defines all the Splunk search commands and their syntax. But, it also uses
fields.conf to suggest fields for autocomplete and
savedsearches.conf to inform users when their search is similar to an existing saved search.
You can control the behavior of the search assistant with UI settings in the SearchBar module. These settings define whether to open the search assistant by default (
autoOpenAssistant), to use typeahead (
useTypeahead), to show command help (
showCommandHelp), to show search history (
showCommandHistory), and to show field information (
showFieldInfo). For more information about each of these modules, refer to the " Module Reference".
Set search mode to adjust your search experience
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14