Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the search assistant

Splunk's search language is extensive and includes many search commands, arguments, and functions. You might have a hard time forming a search because you are not familiar with all the commands and you don't know what information has been extracted from your data.

Use search assistant to see your data as you build a search

When you're building a search, you don't need to know which search commands and arguments you want to use before forming a search because the search assistant will suggest them for you.

Search assistant shows you typeahead, or contextual matches and completions for each keyword as you type it into the search bar. These contextual matches are based on what's in your data. The entries under matching terms update as you continue to type because the possible completions for your term change as well.

Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. If a term or phrase doesn't exist in your data, you won't see it listed in search assistant.

Change settings for the search assistant

The search assistant is a Python endpoint called by the search bar that returns html to display in a panel that slides down from the search bar. The search assistant gets its description and syntax information from searchbnf.conf, which defines all the Splunk search commands and their syntax. But, it also uses fields.conf to suggest fields for autocomplete and savedsearches.conf to inform users when their search is similar to an existing saved search.

You can control the behavior of the search assistant with UI settings in the SearchBar module. These settings define whether to open the search assistant by default (autoOpenAssistant), to use typeahead (useTypeahead), to show command help (showCommandHelp), to show search history (showCommandHistory), and to show field information (showFieldInfo). For more information about each of these modules, refer to the " Module Reference".

PREVIOUS
Set search mode to adjust your search experience
  NEXT
About search

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters