Why is search history retention inconsistent betwe...

gregbo · ‎12-02-2022

I have two Splunk Enterprise environments, both at 9.0.2. For users in one environment, search history goes back only two days. For users in the other environment, search history goes back more than 8 months. Any clue about what could cause that?

Both environments are using a single search head.

Users are set up the same in each environment.

The limits.conf on both search heads is identical.

I verified that the user's search history .csv file goes back two days on one and 8 months on the other.

PickleRick · ‎12-02-2022

History is limited by number of entries, not by time. So if the user is much more active on one SH, the limit might be hit earlier.

BTW, did you just look into system/local/limits.conf or did a btool?

The setting you're looking for is

[search]
max_history_length = <integer>

gregbo · ‎12-05-2022

I checked for max_history_length in all directories on both search heads, and on both it's only defined in system/default/limits.conf with the default value of 1000

I then checked the history file for myself on both search heads, and one has 1614 entries and the other has 2609 entries.

When I check the Search History in Splunk Web, i see 36 searches (going back 3 days) on the Search Head that has 2609 entries, and 261 searches (going back 8 months) on the Search Head that shows 1614 entries in the file.

So, I don't understand the relationship between the max_history_length stanza and how many searches show up

Why is search history retention inconsistent between search heads?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!