Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is search history retention inconsistent between search heads?

gregbo
Communicator
‎12-02-2022 02:56 AM

I have two Splunk Enterprise environments, both at 9.0.2. For users in one environment, search history goes back only two days. For users in the other environment, search history goes back more than 8 months. Any clue about what could cause that?

Both environments are using a single search head.

Users are set up the same in each environment.

The limits.conf on both search heads is identical.

I verified that the user's search history .csv file goes back two days on one and 8 months on the other.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2022 06:53 AM

History is limited by number of entries, not by time. So if the user is much more active on one SH, the limit might be hit earlier.

BTW, did you just look into system/local/limits.conf or did a btool?

The setting you're looking for is

[search]
max_history_length = <integer>
0 Karma
Reply

gregbo
Communicator
‎12-05-2022 04:10 AM

I checked for max_history_length in all directories on both search heads, and on both it's only defined in system/default/limits.conf with the default value of 1000

I then checked the history file for myself on both search heads, and one has 1614 entries and the other has 2609 entries.

When I check the Search History in Splunk Web, i see 36 searches (going back 3 days) on the Search Head that has 2609 entries, and 261 searches (going back 8 months) on the Search Head that shows 1614 entries in the file.

So, I don't understand the relationship between the max_history_length stanza and how many searches show up

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...