
history
Description
Use this command to view the search history of the current user. This search history is presented as a set of events or as a table.
Syntax
| history [events=<bool>]
Required arguments
None.
Optional arguments
- events
- Syntax: events=<bool>
- Description: When you specify
events=true
, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specifyevents=false
, the search history is returned in a table format for more convenient aggregate viewing. - Default: false
Fields returned when events=false
.
Output field Description _time
The time that the search was started. api_et
The earliest time of the API call, which is the earliest time for which events were requested. api_lt
The latest time of the API call, which is the latest time for which events were requested. event_count
If the search retrieved or generated events, the count of events returned with the search. exec_time
The execution time of the search in integer quantity of seconds into the Unix epoch. is_realtime
Indicates whether the search was real-time (1) or historical (0). result_count
If the search is a transforming search, the count of results for the search. scan_count
The number of events retrieved from a Splunk index at a low level. search
The search string. search_et
The earliest time set for the search to run. search_lt
The latest time set for the search to run. sid
The search job ID. splunk_server
The host name of the machine where the search was run. status
The status of the search. total_run_time
The total time it took to run the search in seconds.
Usage
The history
command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Examples
Return search history in a table
Return a table of the search history. You do not have to specify events=false
, since that this the default setting.
| history
Return search history as events
Return the search history as a set of events.
| history events=true
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the history command.
PREVIOUS highlight |
NEXT iconify |
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.0.11, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.0
Comments
Please clarify that this command will ONLY show the current user's history?
Can't you use sort to reverse the order? | history | sort _time <br /><br />and |history | sort _time| where match(search,"user") to look for history entries that contain user
actually, you should be able to pipe this search to further search parameters, and also use the reverse command ( http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Reverse ) to accomplish some of this.
hi Supersleepwalker: i suggest you file an enhancement request with the Support team--this will get passed to Product Management for consideration.
I want to know how I can search my history. I'd like to be able to do a reverse search, like in bash.
Hi, SloshBurch. I updated the topic with more information. Thank you.