Download topic as PDF
history
Description
Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.
Syntax
| history [events=<bool>]
Required arguments
None.
Optional arguments
- events
- Syntax: events=<bool>
- Description: When you specify
events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specifyevents=false, the search history is returned in a table format for more convenient aggregate viewing. - Default: false
Fields returned when events=false.
Output field Description _timeThe time that the search was started. api_etThe earliest time of the API call, which is the earliest time for which events were requested. api_ltThe latest time of the API call, which is the latest time for which events were requested. event_countIf the search retrieved or generated events, the count of events returned with the search. exec_timeThe execution time of the search in integer quantity of seconds into the Unix epoch. is_realtimeIndicates whether the search was real-time (1) or historical (0). result_countIf the search is a transforming search, the count of results for the search. scan_countThe number of events retrieved from a Splunk index at a low level. searchThe search string. search_etThe earliest time set for the search to run. search_ltThe latest time set for the search to run. sidThe search job ID. splunk_serverThe host name of the machine where the search was run. statusThe status of the search. total_run_timeThe total time it took to run the search in seconds.
Usage
The history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Examples
Return search history in a table
Return a table of the search history. You do not have to specify events=false, since that this the default setting.
| history
Return search history as events
Return the search history as a set of events.
| history events=true
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.
|
PREVIOUS highlight |
NEXT iconify |
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.10, 6.2.11, 6.2.13, 6.0.11, 4.3.1, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 6.2.14, 6.2.2
Comments
Please clarify that this command will ONLY show the current user's history?
Can't you use sort to reverse the order? | history | sort _time <br /><br />and |history | sort _time| where match(search,"user") to look for history entries that contain user
actually, you should be able to pipe this search to further search parameters, and also use the reverse command ( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Reverse ) to accomplish some of this.
hi Supersleepwalker: i suggest you file an enhancement request with the Support team--this will get passed to Product Management for consideration.
I want to know how I can search my history. I'd like to be able to do a reverse search, like in bash.
Hi, SloshBurch. I updated the topic with more information. Thank you.