Use search assistant to build searches
The Splunk Search Processing Language is extensive and includes many search commands, arguments, and functions. When writing a search in Splunk Web, you can use the search assistant to help you construct the search string.
Use search assistant to see your data as you build a search
Search assistant shows you typeahead, or contextual matches and completions for each keyword as you type it into the search bar. These contextual matches are based on what's in your data. The entries under matching terms update as you continue to type because the possible completions for your term change as well.
Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results will be returned. If a term or phrase doesn't exist in your data, you won't see it listed in search assistant.
Change settings for the search assistant
The search assistant is a Python endpoint called by the search bar that returns HTML to display in a panel that slides down from the search bar. The search assistant gets description and syntax information from
searchbnf.conf file, which defines all of the Splunk search commands and their syntax. The search assistant also uses the
fields.conf file to suggest fields for autocomplete and the
savedsearches.conf file to inform you when your search is similar to an existing saved search. If you have Splunk Enterprise and have access to these files, you can modify the settings for the search assistant. If you have Splunk Cloud and want to modify these settings, file a Support ticket.
Anatomy of a search
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11