Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.
| history [events=<bool>]
- Syntax: events=<bool>
- Description: When you specify
events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specify
events=false, the search history is returned in a table format for more convenient aggregate viewing.
- Default: false
Fields returned when
Output field Description
The time that the search was started.
The earliest time of the API call, which is the earliest time for which events were requested.
The latest time of the API call, which is the latest time for which events were requested.
If the search retrieved or generated events, the count of events returned with the search.
The execution time of the search in integer quantity of seconds into the Unix epoch.
Indicates whether the search was real-time (1) or historical (0).
If the search is a transforming search, the count of results for the search.
The number of events retrieved from a Splunk index at a low level.
The search string.
The earliest time set for the search to run.
The latest time set for the search to run.
The search job ID.
The host name of the machine where the search was run.
The status of the search.
The total time it took to run the search in seconds.
history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Return search history in a table
Return a table of the search history. You do not have to specify
events=false, since that this the default setting.
Return search history as events
Return the search history as a set of events.
| history events=true
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3