Splunk Cloud Platform

Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF



Returns typeahead information for a specified prefix. The maximum number of results returned is based on value you specify for the count argument. The typeahead command can be targeted to an index and restricted by time.


The required syntax is in bold.

| typeahead

Required arguments

Syntax: prefix=<string>
Description: The full search string to return typeahead information.
Syntax: count=<int>
Description: The maximum number of results to return.

Optional arguments

Syntax: index=<string>
Description: Search the specified index instead of the default index.
Syntax: max_time=<int>
Description: The maximum time in seconds that the typeahead can run. If max_time=0, there is no limit.
Syntax: starttimeu=<int>
Description: Set the start time to N seconds, measured in UNIX time.
Default: 0
Syntax: endtimeu=<int>
Description: Set the end time to N seconds, measured in UNIX time.
Default: now
Syntax: collapse=<bool>
Description: Specify whether to collapse a term that is a prefix of another term when the event count is the same.
Default: true
Syntax: max_servers=<int>
Description: Specify the maximum number of indexer search peers to be used in addition to the search head for the provision of typeahead functionality.
Default: 2


The typeahead command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Set the number of additional search peers used in a typeahead job

The max_servers argument is designed to minimize the workload impact of running typeahead search jobs in an indexer clustering environment. For load balancing, the selection of additional search peers for typeahead is random.

A setting of 0 removes all limits, causing all available search peers to be used for typeahead search jobs.

The default for the max_servers argument is controlled by the max_servers setting in limits.conf.

Typeahead and source type renaming

After renaming the sourcetype in the props.conf file, it takes about 5 minutes (the exact time might slightly depend on the performance of the server) to clear up the cache data. A typeahead search that is run while the cache is being cleared returns the cached source type data. This is expected behavior.

To remove the cached data, in a terminal window run the following command:

rm $SPLUNK_HOME/var/run/splunk/typeahead/*, then re-run the typeahead search.

When you re-run the typeahead search, you should see the renamed source types.

For more information, see Rename source types in the Getting Data In manual.

Typeahead and tsidx bucket reduction

typeahead searches over indexes that have undergone tsidx bucket reduction will return incorrect results.

For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.


Example 1:

Return typeahead information for sources in the "_internal" index.

| typeahead prefix=source count=10 index=_internal

Last modified on 10 September, 2021

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111, 8.2.2112

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters