Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Help building searches

The Splunk Search Processing Language (SPL) includes many commands and functions that you can use to build searches. All of the commands and functions are documented in the Search Reference.

When you write a search in Splunk Web, there are several built-in features that help you build and parse searches.

  • Search assistant modes
  • Syntax highlighting
  • Auto-format search syntax
  • Numbering search lines
  • Shortcuts


This topic discusses using the search assistant. See Help reading searches for information about syntax highlighting, auto-formatting, line numbers, and shortcuts.

Use the search assistant to build searches

When you type a few letters or a term into the search bar, the search assistant shows you terms and searches that match what you typed.

This screen image shows the search assistant Compact mode. The letters "sourcet" are typed into the Search bar. A list of matching terms and matching searches appears below the Search bar.

The Matching Terms are based on the terms that are indexed from your data. The Matching Searches are based on your recent searches.

The list continues to update as you type.

To add an item in the list to your search criteria you can click on an item, or use the arrow keys to highlight the item and press Enter.

Search assistant modes

The search assistant has two modes: Compact and Full. The default mode is Compact.

Compact mode

The Compact mode displays a list of matching terms and searches when you type. When you type a pipe ( | ) character, to indicate that you want to use a command, a list of the SPL commands appears. You can type a letter to quickly jump to the section of the list that begins with that letter. For example, if you type the letter s, the list displays all of the commands that begin with the letter s.

When you type a command, a list appears showing Command History and Matching Searches. Initially, the Command History shows some command examples. As you use a command in your searches, the Command History displays your uses of the command instead of the examples.

This screen image shows the search "sourcetype=secure host="mailsv" | stats count by" typed into the Search bar. A list appears below the Search bar that contains command history terms and matching searches.

Below the list is a brief description for the command and an example. The Learn More link opens the Search Reference in a new window and displays documentation about the command.

To access the Learn More link, use your keyboard. Arrow down to the command or attribute name to highlight the name. Press Tab to highlight the '''Learn More''' link and then press Enter to activate the link.

If you type something after the command, the search assistant shows any command arguments or history that match what you type.

This screen image shows the search "sourcetype="secure" failed  | top c" typed into the Search bar. The list below the search bar shows the command arguments and command history that begin with the letter "c".  The search assistant list shows the "countfield=" for Command Args and the "top categoryId"  for Command History.

The search assistant can also show you the data type that an argument requires. Type the argument in the Search bar. Include the equal ( = ) symbol, if that is part of the argument syntax. In the following example, the search assistant shows that a <string> value is required for the countfield argument.

This screen image shows the search "sourcetype="secure" failed  | top countfield=" typed into the Search bar. The list below the Search bar shows that the countfield argument expects a <string> value.

Full mode

The Full mode displays a list of matching terms and searches when you type, along with a count of how many times a term appears in your indexed data. This count tells you how many search results will be returned if you search on that term. If a term or phrase is not in the list, the term is not in your indexed data.

The Full mode also provides suggestions in the How To Search section on ways that you can retrieve events and use the search commands.

This screen image shows "sourcet" typed into the search bar. A list of Matching Searches and Matching Terms displays below the Search bar. With the Full mode, the Matching Terms also include a count of the number of times that term appears in your data. In this example the terms are sourcetype="access_combined_wcookie", sourcetype="secure", and sourcetype="vendor_sales". There is a red box around the counts for the terms.

When you type a command in the Search bar, the list of matching terms and searches is replaced with the Command History list.

To add an item in the Command History list to your search criteria click on an item, or use the arrow keys to highlight the item and press Enter.

The search assistant displays a brief description of the command and several examples. There are two links next to the command description: Help and More.

  • The Help link opens the Search Reference in a new window, and displays documentation about the command.
  • The More link expands the information about the command that is displayed on the screen.

This screen image shows "sourcettype="secure" failed | top" typed into the search bar. A list of Matching Searches and Command History displays below the Search bar. A brief description of the top command and several examples are also displayed.  There are two links next to the command name. There is a red box around the Help and More links.

When you select the More link, several new sections appear. The Details section provides a more detailed description of the command. The Syntax section shows the basic syntax for the command. The Related section lists commands that are related to the command that you typed. If the command has complex syntax, click the More link next to the syntax to expand the syntax.

This screen image shows "sourcettype="secure" failed | top" typed into the Search bar. The More link has been selected and the detailed description for the "top" command, along with the syntax and related commands are displayed. There is a red box around the description, syntax, and related commands.

If you type something after the command, the search assistant shows any command arguments or history that match what you type.

This screen image shows the search "sourcetype="secure" failed  | top c" typed into the Search bar. The list below the Search bar shows the command arguments and command history that begin with the letter "c".  The search assistant shows "...|  top categoryId" for Command History and "countfield=" for Command Args.

The search assistant can show you the data type that an argument requires. Type the argument in the Search bar. Include the equal ( = ) symbol if that is part of the argument syntax. In the following example, the search assistant shows that a <string> value is required for the countfield argument.

This screen image shows the search "sourcetype="secure" failed  | top countfield=" typed into the Search bar. The search assistant shows that the countfield argument expects a <string> value.

Change the search assistant mode

The default search assistant mode is Compact. You can change the search assistant mode or temporarily hide the search assistant while you build your search.

When you change the search assistant mode, the change is only for your user account.

Prerequisite

If the Search bar contains a search that you have not run, run the search before you change the search assistant mode. Otherwise the search is lost when you change modes. Running the search adds the search to the search history, where you can access it after you change the mode.

Steps

  1. On the Splunk bar, select [User_account_name] > Account Settings.
  2. This screen image shows the Splunk bar. The user account name "Administrator" is selected. The menu choices are Account Settings and Logout.
  3. Under the Search section, look for Search assistant and select Compact, Full, or None.
  4. Click Save.

The None mode turns the search assistant off.

Hide and display the search assistant

By default, the search assistant opens when you type something into the Search bar.

Hide the search assistant by default

Depending on the mode you are using, you can turn off the search assistant or make the search assistant hidden by default.

Compact mode

With the Compact mode, you cannot permanently hide the search assistant. You can only temporarily hide it, or turn it off by changing the search assistant mode to None.


Full mode

With the Full mode, you can set the search assistant to be hidden by default.

  • In the search assistant window, select Auto Open. This removes the check mark next to Auto Open.


When you start a new search, the search assistant is hidden. This setting remains active even when you close Splunk Web. The next time you open Splunk Web, the search assistant is hidden.

Temporarily hide the search assistant

In both the Compact and Full modes, you can temporarily hide the search assistant.

Compact mode

  • Press ESC.

Full mode

  • At the bottom of the search assistant window, click the collapse arrow to hide the window.
This screen image shows the search assistant in Full mode. The collapse arrow at the bottom left corner of the search assistant window has a red circle around it.

Unhide the search assistant window

If the search assistant window is hidden, you can unhide it.

Compact mode

  • Use the keyboard shortcut for your operating system to unhide the window.
    • On Linux or Windows, press CTRL+space.
    • On Mac, press Control+space.


Full mode

Whether you have the search assistant hidden by default or temporarily hidden, you can unhide the search assistant window at any time.

  • Under the Search bar, click the expand arrow to display the search assistant window.


See Temporarily hide the search assistant for information about the collapse/expand button.

If these steps do not unhide the search assistant window, then either the search assistant is turned off or there is no assistance for what you have typed.

To turn the Search Assistant back on, see Change the search assistant mode.


Change the default search assistant mode for all users

Individual users can change the default search assistant setting for themselves. The default search assistant mode can also be changed globally, for all users.

Prerequisites

  • Only users with file system access, such as system administrators, can change the default search assistant mode for all users.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

Steps

  1. Open the local user-prefs.conf.spec.in file for the Search app. For example $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Under the [general] stanza, change the search assistant mode by selecting one of the other mode values. Choose from full, compact, or none. For example, search_assistant=full.
  3. Restart the Splunk instance.
Last modified on 05 March, 2018
PREVIOUS
Anatomy of a search
  NEXT
Help reading searches

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters