Splunk Enterprise Security

sourcetype autopopulate

trojan_81
Path Finder

All

Newbie question. When I go to do a splunk search and do not know the exact sourcetype name, shouldn't it auto populate as I'm typing it in?

For example, suppose the sourcetype I wish to query is named: WindowsEventLogs

On my search I type in: index=* sourcetype="win

but it never autocompletes. In my lab environment it completes but not in this production environment. Is this a setting somewhere within splunk?

0 Karma

rkyadav
Path Finder

you can enable search assistant mode that would allow you auto populate option:

https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Usingthesearchassistant

OR
You can go to /etc/apps/user-prefs/default/user-prefs.conf :
Check for search assistant, below i have compact mode

[general]
search_syntax_highlighting = 1
search_assistant = compact

0 Karma

rkyadav
Path Finder

you can enable search assistant mode that would allow you auto populate option:

https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Usingthesearchassistant

OR
You can go to /etc/apps/user-prefs/default/user-prefs.conf :
Check for search assistant, below i have compact mode

[general]
search_syntax_highlighting = 1
search_assistant = compact

0 Karma

rkyadav
Path Finder

@trojan_81
If you good with above , please accept the answers.
thanks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...