Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does search typeahead no longer show "matching terms" after I upgraded to Splunk 6.3?

rroberts
Splunk Employee
Splunk Employee
‎10-20-2015 02:25 PM

I upgraded to Splunk 6.3 and it's working beautifully, however, I no longer get "matching terms" as I type in the search box.

In previous versions of Splunk, if I typed: err in the search box, I would see error=300, errors=402, errored=23 as typehead matching terms. Now I only see the term error show up in "matching search". There seems to be no matching term as you search now? I have auto-open turned on the search assistant.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-21-2015 07:28 AM

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

View solution in original post

Reply
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-21-2015 07:28 AM

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 02:39 PM

This may be related to your history on that Search Head which should be here:

$SPLUNK_HOME/etc/users/<YourUserName>/search/history/<YourSearchHead>.csv

It seems that something during your upgrade damaged/deleted this file but perhaps you can restore it from your backup. You did make a backup of your Search Head before you upgraded, didn't you?

Also, as the file location implies, you have a different search history depending on which app (context) you have when you search. It is possible that either you are searching from within a different app. This is common when some apps are removed during the upgrade process.

0 Karma
Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎10-20-2015 02:52 PM

These are "matching terms" not matching previous searches. Shouldnt they be fetched from the index? In 6.2 I can see ..DEBUG SearchOperator: Typeahead ....loadtermsfromlex. In 6.3 when I put the SearchOperator:Typeahead in debug mode I dont see this "loadtermsfromlex" occurring. Also, to answer your question. I see my searchhead.csv file and it looks fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...