Splunk Search

Why does search typeahead no longer show "matching terms" after I upgraded to Splunk 6.3?

rroberts
Splunk Employee
Splunk Employee

I upgraded to Splunk 6.3 and it's working beautifully, however, I no longer get "matching terms" as I type in the search box.

In previous versions of Splunk, if I typed: err in the search box, I would see error=300, errors=402, errored=23 as typehead matching terms. Now I only see the term error show up in "matching search". There seems to be no matching term as you search now? I have auto-open turned on the search assistant.

0 Karma
1 Solution

rroberts
Splunk Employee
Splunk Employee

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

View solution in original post

rroberts
Splunk Employee
Splunk Employee

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

woodcock
Esteemed Legend

This may be related to your history on that Search Head which should be here:

$SPLUNK_HOME/etc/users/<YourUserName>/search/history/<YourSearchHead>.csv

It seems that something during your upgrade damaged/deleted this file but perhaps you can restore it from your backup. You did make a backup of your Search Head before you upgraded, didn't you?

Also, as the file location implies, you have a different search history depending on which app (context) you have when you search. It is possible that either you are searching from within a different app. This is common when some apps are removed during the upgrade process.

0 Karma

rroberts
Splunk Employee
Splunk Employee

These are "matching terms" not matching previous searches. Shouldnt they be fetched from the index? In 6.2 I can see ..DEBUG SearchOperator: Typeahead ....loadtermsfromlex. In 6.3 when I put the SearchOperator:Typeahead in debug mode I dont see this "loadtermsfromlex" occurring. Also, to answer your question. I see my searchhead.csv file and it looks fine.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...