How To View Search History In Splunk

How To View Search History In Splunk

Hi guys !!

Hope you are doing well in Splunk. Have you ever thought of finding the queries which you had run on yesterday or on the last week ??????

Today we have come with a new and interesting topic of Splunk that is how to view  search history in Splunk. There are several options by which can find search history in Splunk.

Process 1:

   a) Login to the Search Head by your credentials.

   b) Click on Search & Reporting app.

c) Click on Search History

d) Now you can see the a list of SPL queries which you had run before. In the Search column it will show the SPL queries. You can add to a new search tab by clicking Add to Search. Also you can see the Last Run time of a particular query. On the top one time filter is there, you can select the time frame as you want.

Process 2 :

a) Login to the Search Head by your credentials.

   b) Click on Search & Reporting app.

c) In the search bar we have to write a command.

| history 

Run the above command to see the queries which you had ran before . Also you can use Time Range Picker to select a particular time frame. Maximum it shows the search history for last 30 days.

Process 3:  

CLI

There is another way to find the search history. From the CLI ( Command Line Interface ) we can also get the information about the search history.

a) Open the terminal of your Search Head and go to the $SPLUNK_HOME$. In this case we have installed Splunk in /opt/splunk path so /opt/splunk is our $SPLUNK_HOME$.

cd /opt/splunk

b) Then run a command to see the files where history of the search queries are stored. You have to use your $HOST_NAME$.csv with the command . In this case sh is the HOST_NAME so we have used sh.csv with the command.

 find . -name "sh.csv" -print

See we are getting a list of files where the contents of the search history are stored.

See one example below :

To view the contents of these files you have to run a command. At first change the directory to $SPLUNK_HOME$/bin .

cd  /opt/splunk/bin

c) Now you have to run a command to see the search history of a particular user. Here user name is admin and password for the admin user is 12345678.

./splunk search "|history" -auth admin:123456789

Hope this has helped you in achieving the below requirement without fail !!
How To View Search History In Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.