Lost my Search History twice: on Jan 02 - but it came back, and on Jan 03, and it was not recovered since. I checked that I am in the right app, and set "All Time".
- |history returns recent 30 searches, mostly from file loading or UI, not my own
- index=internal user=* sourcetype=splunkdui_access | dedup q | table _time, q | eval q=urldecode(q) returns 30 searches, not my custom ones except one ( ?!)
Installed Splunk Enterprise 8.0.1 at the end of Dec ; Search history was there every time I logged in except the hicckup on Jan 02 and full disappearance on Jan 03.
The history information is being saved under $SPLUNKHOME/etc/users/youruser/search/history on a csv file. Please login at splunk search head using cli and check if you have a csv file under the history folder at $SPLUNKHOME/etc/users/youruser/search/history. If you did not see the file under this path, it means the history is already gone. A possible alternative to recover it, if you ran a backup of etc folders before you ran the upgrade.
if you are running on a search head cluster, it is possible that your history is not being properly replicated -> https://answers.splunk.com/answers/391876/is-there-any-way-to-get-splunk-to-replicate-search.html
Please see other search history topics that maybe can help you ->https://answers.splunk.com/topics/search-history.html
Hi ivanreis, thanks for your advice. I located the file you mentioned. It had recent UI:Dashboard and today's UI:Search lines, but nothing from Jan 1, 2 or December. Those searches are not in there, and I did not delete them. I don't think I am running on the search head cluster, unless it is a default mode.
Can it be a bug?
I did not see any history issue reported on this version 8.0.0. I am not really sure if this history file is cleanup from time to time. I am not really sure if it can be a bug. Maybe you should open a ticket at splunk support for investigation. Create a diag file and attach to your case running $Splunk_Home/bin/splunk diag
Run this command at cli to check if you are running on a cluster environment. If you are not you are receiving the message below. the admin id is required in order to get this information.
$Splunk_Home/bin/splunk show shcluster-status
Your session is invalid. Please login.
Splunk username: admin
Encountered some errors while trying to obtain shcluster status.
Search Head Clustering is not enabled on this node. REST endpoint is not available
If you see this information is valid, please vote to my answer. thanks
I've got a similar issue with a clean install of 8.0.1 under Ubuntu, though in my case no history shows up at all on the summary page and I get nothing at all back from |history.
In my case, there is a .csv file in $SPLUNKHOME/etc/users/*myuser*/search/history and new searches get appended to that.
Everything is running on a single machine, no clustering.