Splunk® Enterprise

Search Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Search history

There are several ways to view your search history for searches that you have previously run.

The search history is available only for the app you're currently using. For example, if you run a search in another Splunk app, the search history for that app will not be visible in the search history in the Search app.

Search history in the Search Summary view

Your full search history appears at the bottom of the Search Summary view.

Use the Search History panel to view and interact with the searches that you have previously run.

Click the greater than ( > ) symbol to expand the display to view your search history. The search history displays as a table with the following columns:

Search
Contains the search string, displayed as plain text so that you can copy the contents. By default, the Search History table truncates the search string to fit on a single line. For longer search strings, you can click the expand icon to the left of the search string to display the full search string.
Actions
Contains the action, Add to search. Click Add to Search to replace the contents of the search bar with the selected historical search contents.
You can use keyboard shortcuts to display the search in a new browser tab.
Windows: Use CTRL+ click on Add to Search
Mac: Use Command + click on Add to Search
Last Run
Contains the date and time when the search was last run.

This image shows the search history table..

Filter to locate searches

You can filter your search history to quickly find the search that you are looking for. You can filter by keyword or filter by time.

  • Type keywords into the filter text box to locate historical searches that contain the keyword. For example, type sourcetype=access_* to locate the searches that contain this criteria.
  • Select from the list of time filters based on when the search was last run. Select either Today, Last 7 Days, or Last 30 Days. To see the entire search history, select No Time Filter.

Sort search history

In the Search History table, click the Search column header to sort the searches alphabetically by search criteria. Click the Last Run column heading to sort the searches by the date that the search was run. You can sort the list in ascending or descending order by clicking the column heading again.

Change the page display

By default, the search history shows your most recent 20 searches. Subsequent pages show older searches. Click 20 Per Page to change how many searches appear on each page in the search history list. Choose from 10, 20, or 50 searches to display on each page.

Search history with the Search Assistant

Additionally, as you type search criteria into the Search bar, the Search Assistant shows searches from your history as a possible Matching Search to the criteria you are typing in.

Search history with keyboard navigation

You can also use these keyboard shortcuts to scroll through the last 100 searches in your search history.

Action Linux or Windows Mac OSX
Scroll to the previous search. Alt + P Ctrl + P
Scroll to the next search. Alt + N Ctrl + N

See Also

Navigating Splunk Web
About the Search app
Last modified on 12 August, 2024
Search modes   Search command primer

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters