Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

history

Description

Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.

Syntax

| history [events=<bool>]

Required arguments

None.

Optional arguments

events
Syntax: events=<bool>
Description: When you specify events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specify events=false, the search history is returned in a table format for more convenient aggregate viewing.
Default: false

Fields returned when events=false.

Output field Description
_time The time that the search was started.
api_et The earliest time of the API call, which is the earliest time for which events were requested.
api_lt The latest time of the API call, which is the latest time for which events were requested.
event_count If the search retrieved or generated events, the count of events returned with the search.
exec_time The execution time of the search in integer quantity of seconds into the Unix epoch.
is_realtime Indicates whether the search was real-time (1) or historical (0).
result_count If the search is a transforming search, the count of results for the search.
scan_count The number of events retrieved from a Splunk index at a low level.
search The search string.
search_et The earliest time set for the search to run.
search_lt The latest time set for the search to run.
sid The search job ID.
splunk_server The host name of the machine where the search was run.
status The status of the search.
total_run_time The total time it took to run the search in seconds.

Usage

The history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Examples

Return search history in a table

Return a table of the search history. You do not have to specify events=false, since that this the default setting.

| history

This image shows the fields that are created when you run the history command using the default setting.

Return search history as events

Return the search history as a set of events.

| history events=true

This image shows the search history as a set of events.

See also

search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:History:4.1&oldid=1025109"
PREVIOUS
highlight 		  NEXT
iconify

This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.5, 7.0.3, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7

Comments

Hi, SloshBurch. I updated the topic with more information. Thank you.

Sophy
December 9, 2013

Please clarify that this command will ONLY show the current user's history?

SloshBurch
December 4, 2013

Can't you use sort to reverse the order? | history | sort _time <br /><br />and |history | sort _time| where match(search,"user") to look for history entries that contain user

Jonathon
September 5, 2013

actually, you should be able to pipe this search to further search parameters, and also use the reverse command ( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Reverse ) to accomplish some of this.

Rachel, Splunker
September 21, 2012

hi Supersleepwalker: i suggest you file an enhancement request with the Support team--this will get passed to Product Management for consideration.

Rachel, Splunker
August 31, 2012

I want to know how I can search my history. I'd like to be able to do a reverse search, like in bash.

Supersleepwalker
August 24, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters