
history
Description
Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.
Syntax
| history [events=<bool>]
Required arguments
None.
Optional arguments
- events
- Syntax: events=<bool>
- Description: When you specify
events=true
, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specifyevents=false
, the search history is returned in a table format for more convenient aggregate viewing. - Default: false
Fields returned when events=false
.
Output field Description _time
The time that the search was started. api_et
The earliest time of the API call, which is the earliest time for which events were requested. api_lt
The latest time of the API call, which is the latest time for which events were requested. event_count
If the search retrieved or generated events, the count of events returned with the search. exec_time
The execution time of the search in integer quantity of seconds into the Unix epoch. is_realtime
Indicates whether the search was real-time (1) or historical (0). result_count
If the search is a transforming search, the count of results for the search. scan_count
The number of events retrieved from a Splunk index at a low level. search
The search string. search_et
The earliest time set for the search to run. search_lt
The latest time set for the search to run. sid
The search job ID. splunk_server
The host name of the machine where the search was run. status
The status of the search. total_run_time
The total time it took to run the search in seconds.
Usage
The history
command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Examples
Return search history in a table
Return a table of the search history. You do not have to specify events=false
, since that this the default setting.
| history
Return search history as events
Return the search history as a set of events.
| history events=true
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.
PREVIOUS highlight |
NEXT iconify |
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.10, 6.2.11, 6.2.13, 6.0.11, 4.3.1, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 6.2.14, 6.2.2
Comments
Please clarify that this command will ONLY show the current user's history?
Can't you use sort to reverse the order? | history | sort _time <br /><br />and |history | sort _time| where match(search,"user") to look for history entries that contain user
actually, you should be able to pipe this search to further search parameters, and also use the reverse command ( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Reverse ) to accomplish some of this.
hi Supersleepwalker: i suggest you file an enhancement request with the Support team--this will get passed to Product Management for consideration.
I want to know how I can search my history. I'd like to be able to do a reverse search, like in bash.
Hi, SloshBurch. I updated the topic with more information. Thank you.