Use this command to view your search history in the current application. This search history is presented as a set of events or as a table.
| history [events=<bool>]
- Syntax: events=<bool>
- Description: When you specify
events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specify
events=false, the search history is returned in a table format for more convenient aggregate viewing.
- Default: false
Fields returned when
Output field Description
The time that the search was started.
The earliest time of the API call, which is the earliest time for which events were requested.
The latest time of the API call, which is the latest time for which events were requested.
If the search retrieved or generated events, the count of events returned with the search.
The execution time of the search in integer quantity of seconds into the Unix epoch.
Indicates whether the search was real-time (1) or historical (0).
If the search is a transforming search, the count of results for the search.
The number of events retrieved from a Splunk index at a low level.
The search string.
The earliest time set for the search to run.
The latest time set for the search to run.
The search job ID.
The host name of the machine where the search was run.
The status of the search.
The total time it took to run the search in seconds.
history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
history command returns your search history only from the application where you run the command.
Return search history in a table
Return a table of the search history. You do not have to specify
events=false, since that this the default setting.
Return search history as events
Return the search history as a set of events.
| history events=true
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 8.0.2007, 8.1.2008, 7.2.10, 8.0.2006, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104