Splunk Search

Why is search history retention inconsistent between search heads?

gregbo
Communicator

I have two Splunk Enterprise environments, both at 9.0.2. For users in one environment, search history goes back only two days. For users in the other environment, search history goes back more than 8 months. Any clue about what could cause that?

Both environments are using a single search head.

Users are set up the same in each environment.

The limits.conf on both search heads is identical.

I verified that the user's search history .csv file goes back two days on one and 8 months on the other.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

History is limited by number of entries, not by time. So if the user is much more active on one SH, the limit might be hit earlier.

BTW, did you just look into system/local/limits.conf or did a btool?

The setting you're looking for is

[search]
max_history_length = <integer>
0 Karma

gregbo
Communicator

I checked for max_history_length in all directories on both search heads, and on both it's only defined in system/default/limits.conf with the default value of 1000

I then checked the history file for myself on both search heads, and one has 1614 entries and the other has 2609 entries.

When I check the Search History in Splunk Web, i see 36 searches (going back 3 days) on the Search Head that has 2609 entries, and 261 searches (going back 8 months) on the Search Head that shows 1614 entries in the file.

So, I don't understand the relationship between the max_history_length stanza and how many searches show up

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...