Re: Splunk History Missing | 9.2.3

geekf

The Splunk search history is not being saved. When I run a search, it remains visible for a few hours, but by the next day the history from the previous day is gone. Currently, the only searches that persist are those from the day we performed the upgrade.

If I go to $SPLUNK_HOME/etc/users/youruser/search/history I do see this file, and it has the UI:Dashboard searches.

What could be the reason Splunk is not retaining search history beyond the upgrade day?

kiran_panchavat

@geekf

Please review the configuration in your limits.conf file. You can adjust this value as needed.

To configure the retention period for users’ search history, create (or edit) the following file:
$SPLUNK_HOME/etc/system/local/limits.conf.

max_history_length = <integer>
* Maximum number of searches to store in history for each user and application.
* When 'search_history_storage_mode' has a value of "kvstore", this value is 
  applicable per user only, and not per user and application combination.
* Default: 500

https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Limitsconf

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Splunk History Missing | 9.2.3

administration

troubleshooting

using Splunk Enterprise

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?