This widget could not be displayed.
  • This widget could not be displayed.
  • ">Events
  • Splunk Enterprise

    Why did my search history disappear( Splunk Enterprise 8.0.1)?

    olgademo
    New Member

    Lost my Search History twice: on Jan 02 - but it came back, and on Jan 03, and it was not recovered since. I checked that I am in the right app, and set "All Time".
    - |history returns recent 30 searches, mostly from file loading or UI, not my own
    - index=_internal user=* sourcetype=splunkd_ui_access | dedup q | table _time, q | eval q=urldecode(q) returns 30 searches, not my custom ones except one ( ?!)

    Installed Splunk Enterprise 8.0.1 at the end of Dec ; Search history was there every time I logged in except the hicckup on Jan 02 and full disappearance on Jan 03.
    Thanks!

    Labels (1)
    Tags (1)
    0 Karma
    1 Solution

    ivanreis
    Builder

    The history information is being saved under $SPLUNK_HOME/etc/users/youruser/search/history on a csv file. Please login at splunk search head using cli and check if you have a csv file under the history folder at $SPLUNK_HOME/etc/users/youruser/search/history. If you did not see the file under this path, it means the history is already gone. A possible alternative to recover it, if you ran a backup of etc folders before you ran the upgrade.

    if you are running on a search head cluster, it is possible that your history is not being properly replicated -> https://answers.splunk.com/answers/391876/is-there-any-way-to-get-splunk-to-replicate-search.html

    Please see other search history topics that maybe can help you ->https://answers.splunk.com/topics/search-history.html

    View solution in original post

    ivanreis
    Builder

    The history information is being saved under $SPLUNK_HOME/etc/users/youruser/search/history on a csv file. Please login at splunk search head using cli and check if you have a csv file under the history folder at $SPLUNK_HOME/etc/users/youruser/search/history. If you did not see the file under this path, it means the history is already gone. A possible alternative to recover it, if you ran a backup of etc folders before you ran the upgrade.

    if you are running on a search head cluster, it is possible that your history is not being properly replicated -> https://answers.splunk.com/answers/391876/is-there-any-way-to-get-splunk-to-replicate-search.html

    Please see other search history topics that maybe can help you ->https://answers.splunk.com/topics/search-history.html

    olgademo
    New Member

    Hi ivanreis, thanks for your advice. I located the file you mentioned. It had recent UI:Dashboard and today's UI:Search lines, but nothing from Jan 1, 2 or December. Those searches are not in there, and I did not delete them. I don't think I am running on the search head cluster, unless it is a default mode.
    Can it be a bug?

    0 Karma

    ivanreis
    Builder

    I did not see any history issue reported on this version 8.0.0. I am not really sure if this history file is cleanup from time to time. I am not really sure if it can be a bug. Maybe you should open a ticket at splunk support for investigation. Create a diag file and attach to your case running $Splunk_Home/bin/splunk diag

    Run this command at cli to check if you are running on a cluster environment. If you are not you are receiving the message below. the admin id is required in order to get this information.
    $Splunk_Home/bin/splunk show shcluster-status
    Your session is invalid. Please login.
    Splunk username: admin
    Password:

    Encountered some errors while trying to obtain shcluster status.
    Search Head Clustering is not enabled on this node. REST endpoint is not available

    If you see this information is valid, please vote to my answer. thanks

    0 Karma

    dkozinn
    Path Finder

    I've got a similar issue with a clean install of 8.0.1 under Ubuntu, though in my case no history shows up at all on the summary page and I get nothing at all back from |history.

    In my case, there is a .csv file in $SPLUNK_HOME/etc/users/my_user/search/history and new searches get appended to that.

    Everything is running on a single machine, no clustering.

    BDein
    Explorer

    Did you ever get a solution to this?

    I'm running a single instance on Mac, and have same issue, but the csv is there, but it doesn't show up in "Search History" nor using | history

    0 Karma

    dkozinn
    Path Finder

    I'd forgotten about this post, I did get an resolution: For devtest instances, it turns out that a number of  functions don't work properly if you've changed the name of the user to anything other than "admin". Once I changed it back to admin not only did history start working, but an issue I'd had with mail not being delivered got fixed as well.

    Let me know if that fixes the issue for you.

    0 Karma

    BDein
    Explorer

    So basically what you're telling is, that non-standard usernames can cause this issue, or what exactly are you describing here?

    I've struggled  with this for more than a year now, and got no usable answer anywhere...

    my username in Splunk is nilsjul, but the history lookup file is named: "BDs-MacBook-Pro-2019-idx.csv"

    0 Karma

    dkozinn
    Path Finder

    For the license I have (Dev/Test), I can only have one user, which by default is "admin". I'd changed that, and from the information that I got, the user name not being "admin" on a Dev/Test instance is what causes the problems.

    Note that this has nothing to do with the account on the machine that it's running on; This is the user that you provision within Splunk itself (Settings->Users).

    0 Karma

    BDein
    Explorer

    For info, it actually worked as soon as I renamed my userid in etc/passwd👍 

    0 Karma

    dkozinn
    Path Finder

    Interesting that you did that.  My instance of Splunk runs on a small Ubuntu server (no GUI) and I access from any number of different systems, but always using "admin" as a user ID when I have to log in.

    0 Karma

    BDein
    Explorer

    Thanks for the info, but it still doesn't make much sense, unless Splunk has made some weird hardcode on the admin account for test/dev licenses.

    Thanks again for your input:-)  

    0 Karma

    forloop
    Engager

    I have the same exact issue. 8.0.4.1

    0 Karma
    Get Updates on the Splunk Community!

    Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

    WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

    Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

    Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...