sourcetype autopopulate

trojan_81 · ‎12-01-2019

All

Newbie question. When I go to do a splunk search and do not know the exact sourcetype name, shouldn't it auto populate as I'm typing it in?

For example, suppose the sourcetype I wish to query is named: WindowsEventLogs

On my search I type in: index=* sourcetype="win

but it never autocompletes. In my lab environment it completes but not in this production environment. Is this a setting somewhere within splunk?

rkyadav · ‎12-16-2019

you can enable search assistant mode that would allow you auto populate option:

OR
You can go to /etc/apps/user-prefs/default/user-prefs.conf :
Check for search assistant, below i have compact mode

[general]
search_syntax_highlighting = 1
search_assistant = compact

rkyadav · ‎12-02-2019

you can enable search assistant mode that would allow you auto populate option:

OR
You can go to /etc/apps/user-prefs/default/user-prefs.conf :
Check for search assistant, below i have compact mode

[general]
search_syntax_highlighting = 1
search_assistant = compact

rkyadav · ‎12-02-2019

@trojan_81
If you good with above , please accept the answers.
thanks