Re: history command Catch 22

topdeck · ‎06-13-2012

Try:

history type=ah action=settle

I get this helpful hint:

"Note: Your first search term is also a search command. Did you mean " | history"?"

Okay Splunk, thanks for the tip.

I'll try:

type=ah action=settle | history

"Error in 'history' command: This command must be the first command of a search."

What in the blue hell is going on here? I did a search yesterday and I can't remember what it was, and before you ask, I don't have access to the box Splunk runs on so I can't look at the logs.

gkanapathy · ‎06-13-2012

| history | where search LIKE "%ah%"

or

| history | eval _raw=search | search "type=ah"

sideview · ‎06-13-2012

The first message is telling you that there is a 'history' command,

and the second message, may not make much sense if you've never seen it before, but it means that you have to do this:

| history type=ah action=settle

where the pipe character is literally at the beginning of the search. History is what they call a "generating" command.

However if you're trying to actually search for the word "history", then you don't want the history command.

topdeck · ‎06-13-2012

Thank you, this was almost the answer.

| history

Returns all of my searches but I can't seem to filter them. Doing something like:

| history type=ah

Results in "Error in 'history' command: Invalid argument: 'type=ah'"

I also tried

| history | type=ah

or

| history | search type=ah

It doesn't like that.

| history | search ah

Does work, it's ugly but at least it's something.

history command Catch 22

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter

Platform Highlights | January 2023 Newsletter