Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use search assistant to build searches

The Splunk Search Processing Language is extensive and includes many search commands, arguments, and functions. When writing a search in Splunk Web, you can use the search assistant to help you construct the search string.

Use search assistant to see your data as you build a search

Search assistant shows you typeahead, or contextual matches and completions for each keyword as you type it into the search bar. These contextual matches are based on what's in your data. The entries under matching terms update as you continue to type because the possible completions for your term change as well.

Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results will be returned. If a term or phrase doesn't exist in your data, you won't see it listed in search assistant.

Change settings for the search assistant

The search assistant is a Python endpoint called by the search bar that returns HTML to display in a panel that slides down from the search bar. The search assistant gets description and syntax information from searchbnf.conf file, which defines all of the Splunk search commands and their syntax. The search assistant also uses the fields.conf file to suggest fields for autocomplete and the savedsearches.conf file to inform you when your search is similar to an existing saved search. If you have Splunk Enterprise and have access to these files, you can modify the settings for the search assistant. If you have Splunk Cloud and want to modify these settings, file a Support ticket.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:Search:Usingthesearchassistant:6.2beta&oldid=882918"
PREVIOUS
Anatomy of a search 		  NEXT
Search actions

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters