How do I configure the retention period for users' search history?
Create a $SPLUNK_HOME/etc/system/local/limits.conf file if it does not already exist.
max_history_length = 2000
This is from the documentation:
max_history_length = <int>
* Max number of searches to store in history (per user/app)
* Defaults to 1000
View solution in original post
The | history command reads content of folder $Splunk_home/etc/users/UserName/AppName/history/SHName.csv file and the data is not indexed. Not sure if a retention applies there.
Indeed. It seems only the most recent 1000 searches are stored. I'm interested in increasing the retention. Any ideas what controls that retention limit?