Returns typeahead information for a specified prefix. The maximum number of results returned is based on value you specify for the
count argument. The
typeahead command can be targeted to an index and restricted by time.
The required syntax is in bold.
- | typeahead
- Syntax: prefix=<string>
- Description: The full search string to return
- Syntax: count=<int>
- Description: The maximum number of results to return.
- Syntax: index=<string>
- Description: Search the specified index instead of the default index.
- Syntax: max_time=<int>
- Description: The maximum time in seconds that the
typeaheadcan run. If
max_time=0, there is no limit.
- Syntax: starttimeu=<int>
- Description: Set the start time to N seconds, measured in UNIX time.
- Default: 0
- Syntax: endtimeu=<int>
- Description: Set the end time to N seconds, measured in UNIX time.
- Default: now
- Syntax: collapse=<bool>
- Description: Specify whether to collapse a term that is a prefix of another term when the event count is the same.
- Default: true
- Syntax: max_servers=<int>
- Description: Specify the maximum number of indexer search peers to be used in addition to the search head for the provision of typeahead functionality.
- Default: 2
typeahead command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Set the number of additional search peers used in a typeahead job
max_servers argument is designed to minimize the workload impact of running
typeahead search jobs in an indexer clustering environment. For load balancing, the selection of additional search peers for typeahead is random.
A setting of
0 removes all limits, causing all available search peers to be used for typeahead search jobs.
The default for the
max_servers argument is controlled by the
max_servers setting in
Typeahead and source type renaming
After renaming the
sourcetype in the
props.conf file, it takes about 5 minutes (the exact time might slightly depend on the performance of the server) to clear up the cache data. A
typeahead search that is run while the cache is being cleared returns the cached source type data. This is expected behavior.
To remove the cached data, in a terminal window run the following command:
rm $SPLUNK_HOME/var/run/splunk/typeahead/*, then re-run the typeahead search.
When you re-run the
typeahead search, you should see the renamed source types.
For more information, see Rename source types in the Getting Data In manual.
Typeahead and tsidx bucket reduction
typeahead searches over indexes that have undergone tsidx bucket reduction will return incorrect results.
For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.
Return typeahead information for sources in the "_internal" index.
| typeahead prefix=source count=10 index=_internal
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111