Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does search typeahead no longer show "matching terms" after I upgraded to Splunk 6.3?

rroberts
Splunk Employee
Splunk Employee
‎10-20-2015 02:25 PM

I upgraded to Splunk 6.3 and it's working beautifully, however, I no longer get "matching terms" as I type in the search box.

In previous versions of Splunk, if I typed: err in the search box, I would see error=300, errors=402, errored=23 as typehead matching terms. Now I only see the term error show up in "matching search". There seems to be no matching term as you search now? I have auto-open turned on the search assistant.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-21-2015 07:28 AM

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

View solution in original post

Reply
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-21-2015 07:28 AM

It looks like this bug has already been reported to engineering as:
SPL-93222
SPL-96621

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-20-2015 02:39 PM

This may be related to your history on that Search Head which should be here:

$SPLUNK_HOME/etc/users/<YourUserName>/search/history/<YourSearchHead>.csv

It seems that something during your upgrade damaged/deleted this file but perhaps you can restore it from your backup. You did make a backup of your Search Head before you upgraded, didn't you?

Also, as the file location implies, you have a different search history depending on which app (context) you have when you search. It is possible that either you are searching from within a different app. This is common when some apps are removed during the upgrade process.

0 Karma
Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎10-20-2015 02:52 PM

These are "matching terms" not matching previous searches. Shouldnt they be fetched from the index? In 6.2 I can see ..DEBUG SearchOperator: Typeahead ....loadtermsfromlex. In 6.3 when I put the SearchOperator:Typeahead in debug mode I dont see this "loadtermsfromlex" occurring. Also, to answer your question. I see my searchhead.csv file and it looks fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...