Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

typeahead

Description

Returns typeahead information for a specified prefix. The maximum number of results returned is based on value you specify for the count argument. The typeahead command can be targeted to an index and restricted by time.

Syntax

The required syntax is in bold.

| typeahead
prefix=<string>
count=<int>
[max_time=<int>]
[<index=<string>]
[<starttimeu=<int>]
[<endtimeu=<int>]
[collapse=<bool>]

Required arguments

prefix
Syntax: prefix=<string>
Description: The full search string to return typeahead information.
count
Syntax: count=<int>
Description: The maximum number of results to return.

Optional arguments

index-specifier
Syntax: index=<string>
Description: Search the specified index instead of the default index.
max_time
Syntax: max_time=<int>
Description: The maximum time in seconds that the typeahead can run. If max_time=0, there is no limit.
startimeu
Syntax: starttimeu=<int>
Description: Set the start time to N seconds, measured in UNIX time.
Default: 0
endtimeu
Syntax: endtimeu=<int>
Description: Set the end time to N seconds, measured in UNIX time.
Default: now
collapse
Syntax: collapse=<bool>
Description: Specify whether to collapse a term that is a prefix of another term when the event count is the same.
Default: true

Usage

The typeahead command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Typeahead and sourcetype renaming

After renaming the sourcetype in the props.conf file, it takes about 5 minutes (the exact time might slightly depend on the performance of the server) to clear up the cache data. A typeahead search that is run while the cache is being cleared returns the cached source type data. This is expected behavior.

To remove the cached data, in a terminal window run the following command: 

rm $SPLUNK_HOME/var/run/splunk/typeahead/*, then re-run the typeahead search.

When you re-run the typeahead search, you should see the renamed source types.

For more information, see Rename source types in the Getting Data In manual.

Typeahead and tsidx bucket reduction

typeahead searches over indexes that have undergone tsidx bucket reduction will return incorrect results.

For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.

Examples

Example 1:

Return typeahead information for sources in the "_internal" index.

| typeahead prefix=source count=10 index=_internal

Last modified on 08 September, 2021
PREVIOUS
tstats 		  NEXT
typelearner

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.6, 7.0.10, 7.0.11, 7.0.13, 6.3.1, 7.0.5, 7.0.8, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2, 7.0.7, 7.0.9, 7.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters