Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

typeahead

Description

Returns autosuggest information for a specified prefix that is used to autocomplete word candidates in searches. The maximum number of results returned is based on the value you specify for the count argument.

Syntax

The required syntax is in bold.

| typeahead
prefix=<string>
count=<int>
[collapse=<bool>]
[<endtimeu=<int>]
[<index=<string>]
[max_time=<int>]
[<starttimeu=<int>]
[use_cache=<bool>]

Required arguments

prefix
Syntax: prefix=<string>
Description: The full search string to return typeahead information.
count
Syntax: count=<int>
Description: The maximum number of results to return.

Optional arguments

collapse
Syntax: collapse=<bool>
Description: Specify whether to collapse a term that is a prefix of another term when the event count is the same.
Default: true
endtimeu
Syntax: endtimeu=<int>
Description: Set the end time to N seconds, measured in UNIX time.
Default: now
index-specifier
Syntax: index=<string>
Description: Search the specified index instead of the default index.
max_time
Syntax: max_time=<int>
Description: The maximum time in seconds that the typeahead can run. If max_time=0, there is no limit.
startimeu
Syntax: starttimeu=<int>
Description: Set the start time to N seconds, measured in UNIX time.
Default: 0
use_cache
Syntax: use_cache = <boolean>
Description: Specifies whether the typeahead cache will be used if use_cache is not specified in the command line or endpoint. When use_cache is turned on, Splunk software uses cached search results when running typeahead searches, which may have outdated results for a few minutes after you make changes to .conf files. For more information, see Typeahead and .conf file updates.
Default: true or 1

Usage

The typeahead command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

The typeahead command can be targeted to an index and restricted by time.

When you run the typeahead command, Splunk software runs internal typeahead searches and extracts data from indexes, configurations, and search histories. This information is used to autocomplete word candidates when users type commands in the Search bar in Splunk Web. The typeahead command extracts data from these sources:

  • Indexing field names from indexes.
  • Settings in configuration files, such as props.conf and savedsearches.conf.
  • The search history from previous searches in Splunk Web.

Typeahead and .conf file updates

The typeahead command uses a cache to run fast searches at the expense of accurate results. As a result, sometimes what is in the cache and shows up in typeahead search results may not reflect recent changes to .conf files. This is because it takes 5 or 10 minutes for the cached data to clear, depending on the performance of the server. For example, if you rename a sourcetype in the props.conf file, it may take a few minutes for that change to display in typeahead search results. A typeahead search that is run while the cache is being cleared returns the cached data, which is expected behavior.

If you make a change to a .conf file, you can wait a few minutes for the cache to clear to get the most accurate and up-to-date results from your typeahead search. Alternatively, you can turn off the use_cache argument to clear the cache immediately, which fetches more accurate results, but is a little slower. After you manually clear the cache, you should see the changes to your .conf file reflected in your results when you rerun the typeahead search.

For more information, see Rename source types in the Splunk Cloud Platform Getting Data In manual.

Typeahead and tsidx bucket reduction

typeahead searches over indexes that have undergone tsidx bucket reduction will return incorrect results.

For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.

Examples

Example 1: Return typeahead information for source

When you run a typeahead search, Splunk software extracts information about field definitions from indexes, configurations, and search histories, and displays the relevant information for the specified prefix. For example, say you run the following search for the source prefix against the main index:

| typeahead index=main prefix="source" count=3

The typeahead command searches the index and shows you what is visible to your users as autocomplete suggestions when they start to type source in their searches in Splunk Web. The results look something like this:

content count operator
source="access_30DAY.log" 131645 false
source="data.csv" 4 false
source="db_audit_30DAY.csv" 44096 false

Example 2: Return typeahead information for saved searches

You can also run typeahead on saved searches. For example, say you run this search:

|typeahead prefix="savedsearch=" count=3

The results look something like this, which tells you what your users see as autocomplete suggestions when they start to type savedsearch in the Search bar in Splunk Web.

content count operator
savedsearch="403_by_clientip" 26 true
savedsearch="Errors in the last 24 hours" 5 true
savedsearch="Errors in the last hour" 2 true

Example 3: Return typeahead information for sourcetypes in the _internal index

When you run the following typeahead search, Splunk software returns typeahead information for sourcetypes in the _internal index.

| typeahead prefix=sourcetype count=5 index=_internal

The results look something like this.

content count operator
sourcetype 373993 false
sourcetype="mongod" 711 false
sourcetype="scheduler" 2508 false
sourcetype="splunk_btool" 3 false
sourcetype="splunk_intro_disk_objects" 5 false
Last modified on 02 June, 2022
tstats   typelearner

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters