Splunk® Enterprise

Search Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Help building searches

The Splunk Search Processing Language (SPL) includes commands and functions that you can use to build searches. All of the commands and functions are documented in the Search Reference.

Splunk Web has several built-in features to help you build and parse searches.

  • Search assistant modes
  • Syntax highlighting
  • Auto-format search syntax
  • Numbering search lines
  • Shortcuts


This topic discusses using the search assistant. See Help reading searches for information about syntax highlighting, auto-formatting, line numbers, and shortcuts.

Use the search assistant to build searches

When you type a few letters or a term into the Search bar, the search assistant shows you terms and searches that match what you typed.

This screen image shows the search assistant Compact mode. The letters "sourcet" are typed into the Search bar. A list of matching terms and matching searches appears below the Search bar.

The Matching Terms are based on the terms that are indexed from your data. The Matching Searches are based on your recent searches.

The list continues to update as you type.

To add an item in the list to your search criteria you can click on an item, or use the arrow keys to highlight the item and press Enter.

Search assistant modes

The search assistant has three modes: Full, Compact, and None. The default mode is Compact.

Compact mode

The Compact mode displays a list of matching terms and searches when you type. When you type a pipe ( | ) character to indicate that you want to use a command, a list of the SPL commands appears. You can type a letter to jump to the section of the list that begins with that letter. For example, if you type the letter s, the list displays all of the commands that begin with the letter s.

When you type a command, a list appears showing Command History and Matching Searches. Initially, the Command History shows some command examples. As you use a command in your searches, the Command History displays your uses of the command instead of the examples.

This screen image shows the search "sourcetype=secure host="mailsv" | stats count by" typed into the Search bar. A list appears below the Search bar that contains command history terms and matching searches.

Below the list are a brief description of the command and an example. The Learn More link opens the Search Reference in a new window and displays documentation about the command.

To access the Learn More link from your keyboard, use your arrow keys to highlight the command or attribute name. Press Tab to highlight the Learn More link and then press Enter to activate the link.

If you type something after the command, the search assistant shows any command arguments or history that match what you type.

This screen image shows the search "sourcetype="secure" failed  | top c" typed into the Search bar. The list below the search bar shows the command arguments and command history that begin with the letter "c".  The search assistant list shows the "countfield=" for Command Args and the "top categoryId"  for Command History.

The search assistant can also show you the data type that an argument requires. Type the argument in the Search bar. Include the equal ( = ) symbol, if that is part of the argument syntax. In the following example, the search assistant shows that a <string> value is required for the countfield argument.

This screen image shows the search "sourcetype="secure" failed  | top countfield=" typed into the Search bar. The list below the Search bar shows that the countfield argument expects a <string> value.

Full mode

The Full mode displays a list of matching terms and searches when you type, along with a count of how many times a term appears in your indexed data. This count tells you how many search results will be returned if you search on that term. If a term or phrase is not in the list, the term is not in your indexed data.

The Full mode also provides suggestions in the How To Search section on ways that you can retrieve events and use the search commands.

This screen image shows "sourcet" typed into the search bar. A list of Matching Searches and Matching Terms displays below the Search bar. With the Full mode, the Matching Terms also include a count of the number of times that term appears in your data. In this example the terms are sourcetype="access_combined_wcookie", sourcetype="secure", and sourcetype="vendor_sales". There is a red box around the counts for the terms.

When you type a command in the Search bar, the list of matching terms and searches is replaced with the Command History list.

To add an item in the Command History list to your search criteria click on an item, or use the arrow keys to highlight the item and press Enter.

The search assistant displays a brief description of the command and several examples. There are two links next to the command description: Help and More.

  • The Help link opens the Search Reference in a new window and displays documentation about the command.
  • The More link expands the information about the command that is displayed on the screen.

This screen image shows "sourcettype="secure" failed | top" typed into the search bar. A list of Matching Searches and Command History displays below the Search bar. A brief description of the top command and several examples are also displayed.  There are two links next to the command name. There is a red box around the Help and More links.

When you select the More link, several new sections appear. The Details section provides a detailed description of the command. The Syntax section shows the basic syntax for the command. The Related section lists commands that are related to the command that you typed. If the command has complex syntax, click the More link next to the syntax to expand the syntax.

This screen image shows "sourcettype="secure" failed | top" typed into the Search bar. The More link has been selected and the detailed description for the "top" command, along with the syntax and related commands are displayed. There is a red box around the description, syntax, and related commands.

If you type something after the command, the search assistant shows any command arguments or history that match what you type.

This screen image shows the search "sourcetype="secure" failed  | top c" typed into the Search bar. The list below the Search bar shows the command arguments and command history that begin with the letter "c".  The search assistant shows "...|  top categoryId" for Command History and "countfield=" for Command Args.

The search assistant can show you the data type that an argument requires. Type the argument in the Search bar. Include the equal ( = ) symbol if that is part of the argument syntax. In the following example, the search assistant shows that a <string> value is required for the countfield argument.

This screen image shows the search "sourcetype="secure" failed  | top countfield=" typed into the Search bar. The search assistant shows that the countfield argument expects a <string> value.

None mode

You can turn off the search assistant by changing the mode to None.

Change the search assistant mode

The default search assistant mode is Compact. You can change the search assistant mode or temporarily hide the search assistant while you build your search.

When you change the search assistant mode, the change affects only your user account.

Prerequisites

  • If the Search bar contains a search that you have not run, run the search before you change the search assistant mode. Otherwise, the search is lost when you change modes. Running the search adds the search to the search history, where you can access it after you change the mode.
  • If you have a Splunk Free license, you cannot change the search assistant mode. The User account menu, where the Preferences options resides, is not available in Splunk Free. To learn about what is and is not included in Splunk Free, see About Splunk Free in the Admin manual.

Steps

  1. On the Splunk bar, select [User_account_name] > Preferences.
    This screen image shows the Splunk bar. The user account name "Administrator" is selected. The menu choices are Account Settings, Preferences, and Logout.
  2. Click SPL Editor.
  3. Verify that the Advanced editor is turned on.
  4. For Search assistant, click on the mode that you want to use, Full, Compact, or None.
  5. This screen image shows the SPL Editor section in the Preferences window. This screen image shows that the Compact mode is active. The Full mode is highlighted.
  6. Click Apply.

Hide and display the search assistant

By default, the search assistant opens when you type something into the Search bar. You can turn off or hide the search assistant.

Turn off the search assistant

To turn off the search assistant, change the search assistant mode to None.

Hide the search assistant

The options for hiding the search assistant depend on the mode that you are using.

Compact mode
You cannot hide the search assistant. You can only turn off the search assistant.
Full mode
To hide the search assistant in Full mode, you turn off the Auto Open feature and collapse the search assistant drop-down.
  1. In the search assistant window, click Auto Open. This removes the check mark next to Auto Open.
  2. Click the collapse and expand button on the right side of the Search bar to hide the search assistant.
The search assistant remains hidden until you use the expand button to show the search assistant again. See Unhide the search assistant window in this topic.
This screen image shows the search assistant in Full mode. The Auto Open button is highlighted and the collapse and expand button is identified on the right side of the Search bar.

When you uncheck Auto Open and click the collapse button the search assistant is hidden, even when you start a new search or close and reopen Splunk Web. The search assistant remains hidden until you unhide it.

Unhide the search assistant

If the search assistant is hidden, click the expand button on the right side of the Search bar and click Auto Open.

If these steps do not unhide the search assistant window, then either the search assistant is turned off or there is no assistance for what you have typed into the Search bar.

To turn the Search Assistant back on, you need to change the search assistant mode to Compact or Full.

Change the default search assistant mode for all users

Individual users can change the default search assistant setting for themselves. The default search assistant mode can also be changed globally, for all users.

Prerequisites

  • Only users with file system access, such as system administrators, can change the default search assistant mode for all users.
  • Know how to edit configuration files. Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

  1. Open or create a local user-prefs.conf file for the Search app at $SPLUNK_HOME/etc/apps/<app_name>/local if you are using *nix, or %SPLUNK_HOME%\etc\apps\<app_name>\local if you are using Windows.
  2. In the [general] stanza, change the search assistant mode by selecting one of the other mode values. Choose from full, compact, or none. For example: search_assistant=full.
  3. Restart the Splunk Enterprise instance.

See also

Related information
Help reading searches
Add comments to searches
Anatomy of a search
Last modified on 16 April, 2024
Anatomy of a search   Help reading searches

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters