Splunk Search

How do I configure the retention period for users' search history?

rmacurak
Explorer

How do I configure the retention period for users' search history?

0 Karma
1 Solution

lguinn2
Legend

Create a $SPLUNK_HOME/etc/system/local/limits.conf file if it does not already exist.
In limits.conf

[search]
max_history_length = 2000

This is from the documentation:

max_history_length = <int>
* Max number of searches to store in history (per user/app)
* Defaults to 1000

View solution in original post

lguinn2
Legend

Create a $SPLUNK_HOME/etc/system/local/limits.conf file if it does not already exist.
In limits.conf

[search]
max_history_length = 2000

This is from the documentation:

max_history_length = <int>
* Max number of searches to store in history (per user/app)
* Defaults to 1000

somesoni2
SplunkTrust
SplunkTrust

The | history command reads content of folder $Splunk_home/etc/users/UserName/AppName/history/SHName.csv file and the data is not indexed. Not sure if a retention applies there.

0 Karma

rmacurak
Explorer

Indeed. It seems only the most recent 1000 searches are stored. I'm interested in increasing the retention. Any ideas what controls that retention limit?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...