Download topic as PDF
history
Description
Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.
Syntax
| history [events=<bool>]
Required arguments
None.
Optional arguments
- events
- Syntax: events=<bool>
- Description: When you specify
events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specifyevents=false, the search history is returned in a table format for more convenient aggregate viewing. - Default: false
Fields returned when events=false.
Output field Description _timeThe time that the search was started. api_etThe earliest time of the API call, which is the earliest time for which events were requested. api_ltThe latest time of the API call, which is the latest time for which events were requested. event_countIf the search retrieved or generated events, the count of events returned with the search. exec_timeThe execution time of the search in integer quantity of seconds into the Unix epoch. is_realtimeIndicates whether the search was real-time (1) or historical (0). result_countIf the search is a transforming search, the count of results for the search. scan_countThe number of events retrieved from a Splunk index at a low level. searchThe search string. search_etThe earliest time set for the search to run. search_ltThe latest time set for the search to run. sidThe search job ID. splunk_serverThe host name of the machine where the search was run. statusThe status of the search. total_run_timeThe total time it took to run the search in seconds.
Usage
The history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Examples
Return search history in a table
Return a table of the search history. You do not have to specify events=false, since that this the default setting.
| history
Return search history as events
Return the search history as a set of events.
| history events=true
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.
|
PREVIOUS highlight |
NEXT iconify |
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.2, 7.0.0, 7.0.3, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4
Comments
Please clarify that this command will ONLY show the current user's history?
Can't you use sort to reverse the order? | history | sort _time <br /><br />and |history | sort _time| where match(search,"user") to look for history entries that contain user
actually, you should be able to pipe this search to further search parameters, and also use the reverse command ( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Reverse ) to accomplish some of this.
hi Supersleepwalker: i suggest you file an enhancement request with the Support team--this will get passed to Product Management for consideration.
I want to know how I can search my history. I'd like to be able to do a reverse search, like in bash.
Hi, SloshBurch. I updated the topic with more information. Thank you.