history

Description

Use this command to view your search history in the current application. This search history is presented as a set of events or as a table.

Syntax

| history [events=<bool>]

Required arguments

None.

Optional arguments

events

Syntax: events=<bool>

Description: When you specify events=true, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specify events=false, the search history is returned in a table format for more convenient aggregate viewing.

Default: false

Fields returned when events=false.

Output field Description
_time The time that the search was started.
api_et The earliest time of the API call, which is the earliest time for which events were requested.
api_lt The latest time of the API call, which is the latest time for which events were requested.
event_count If the search retrieved or generated events, the count of events returned with the search.
exec_time The execution time of the search in integer quantity of seconds into the Unix epoch.
is_realtime Indicates whether the search was real-time (1) or historical (0).
result_count If the search is a transforming search, the count of results for the search.
scan_count The number of events retrieved from a Splunk index at a low level.
search The search string.
search_et The earliest time set for the search to run.
search_lt The latest time set for the search to run.
sid The search job ID.
splunk_server The host name of the machine where the search was run.
status The status of the search.
total_run_time The total time it took to run the search in seconds.

Usage

The history command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

The history command returns your search history only from the application where you run the command.

Examples

Return search history in a table

Return a table of the search history. You do not have to specify events=false, since that this the default setting. 

| history

This image shows the fields that are created when you run the history command using the default setting.

Return search history as events

Return the search history as a set of events. 

| history events=true

This image shows the search history as a set of events.