Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

history command Catch 22

topdeck
Explorer
‎06-13-2012 11:09 AM

Try:

history type=ah action=settle

I get this helpful hint:

"Note: Your first search term is also a search command. Did you mean " | history"?"

Okay Splunk, thanks for the tip.

I'll try:

type=ah action=settle | history

"Error in 'history' command: This command must be the first command of a search."

What in the blue hell is going on here? I did a search yesterday and I can't remember what it was, and before you ask, I don't have access to the box Splunk runs on so I can't look at the logs.

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-13-2012 12:19 PM 
| history | where search LIKE "%ah%"

or 

| history | eval _raw=search | search "type=ah"
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-13-2012 11:21 AM

The first message is telling you that there is a 'history' command,

and the second message, may not make much sense if you've never seen it before, but it means that you have to do this:

| history type=ah action=settle

where the pipe character is literally at the beginning of the search. History is what they call a "generating" command.

However if you're trying to actually search for the word "history", then you don't want the history command.

Reply

topdeck
Explorer
‎06-13-2012 11:34 AM

Thank you, this was almost the answer.

| history

Returns all of my searches but I can't seem to filter them. Doing something like:

| history type=ah

Results in "Error in 'history' command: Invalid argument: 'type=ah'"

I also tried

| history | type=ah

or

| history | search type=ah

It doesn't like that.

| history | search ah

Does work, it's ugly but at least it's something.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...