topic Re: Add a comment to a search? in Splunk Search

Add a comment to a search?

Jason — Thu, 24 May 2012 14:11:49 GMT

I'm working on a really large search right now (on the order of 35 lines long). Is there a good way to insert a comment into a search query to remind a future search editor what is going on?

There doesn't seem to be a | comment command.

perhaps | rex field=bogus "This could be a comment" ?

Re: Add a comment to a search?

araitz — Thu, 24 May 2012 15:31:07 GMT

That's a pretty cool idea! Today, I don't think there is any such mechanism, and I wouldn't recommend using rex as such 🙂

Re: Add a comment to a search?

Jason — Thu, 24 May 2012 16:04:33 GMT

What would you recommend then?

Re: Add a comment to a search?

Jason — Thu, 24 May 2012 16:06:26 GMT

or maybe | rex field=comment "(?#This is a comment)" ?

Re: Add a comment to a search?

araitz — Thu, 24 May 2012 16:08:29 GMT

I try to use macros when possible and give both the macros and saved searches names that strongly bely what purpose they serve.

Re: Add a comment to a search?

Jason — Thu, 24 May 2012 17:14:01 GMT

Makes sense. Multiple macros can get very confusing, especially multiple levels of them, to anyone trying to maintain or edit a search. However, the search does have three sections that are repeated, so I will attempt to put that in a single macro.

Re: Add a comment to a search?

Jason — Thu, 24 May 2012 17:14:09 GMT

But the question of how to best add a comment to a search, in the absence of a |comment, is still open.

Re: Add a comment to a search?

araitz — Thu, 24 May 2012 17:17:15 GMT

Agreed, macros can get pretty confusing and there is no way to in-line comment searches, which would be very cool.

Re: Add a comment to a search?

kmattern — Thu, 24 May 2012 20:02:24 GMT

There is one way that does work and it's pretty simple. Place a rename function at the very end of the search and put all your comments in one long string inside double quotes. Here is the end of a 21 line search followed by a comment:

| table Servers,Access_Status,Access,TM,TD,TDB,MB
| rename comment AS "This is a comment. 
1. The search should run
2. none of this comment should show"

The search runs but the comment does not show.

Re: Add a comment to a search?

araitz — Thu, 24 May 2012 20:03:10 GMT

Clever! I like it.

Re: Add a comment to a search?

_d_ — Fri, 25 May 2012 00:21:18 GMT

...and then make a long search even longer 🙂

Re: Add a comment to a search?

lpolo — Fri, 25 May 2012 11:41:46 GMT

We use a SVN repository to document all our Splunk queries we have in production.

Re: Add a comment to a search?

fk319 — Fri, 25 May 2012 13:03:28 GMT

I complained to my SE about this. He sugested:

| eval commnet="This is a comment"

Re: Add a comment to a search?

Jason — Fri, 25 May 2012 14:21:17 GMT

Nice. This looks like the least work for Splunk to do as part of a search

Re: Add a comment to a search?

kmattern — Fri, 25 May 2012 14:24:58 GMT

I would think it uses fewer clocks than the eval.

Re: Add a comment to a search?

araitz — Fri, 25 May 2012 14:46:43 GMT

This would be wasteful for large result sets, as it would create a 'comment' field for each result.

Re: Add a comment to a search?

fk319 — Fri, 25 May 2012 14:53:11 GMT

The rename looks better...

Re: Add a comment to a search?

commerinesong — Fri, 28 Dec 2012 12:17:29 GMT

If the comment supposed to be always the same per category : the best thing seems to create a lookup on a field (like error field), that has 2 columns "error", "comment" and apply the lookup at the end of your search to add the comment. Then you just have to maintain the lookup table.

Re: Add a comment to a search?

edonze — Mon, 28 Sep 2020 13:34:22 GMT

I'd like to make comments an enhancement request for Splunk so that comments could be placed throughout the search without affecting it from the current pipe through the next pipe, both to disable portions of the search that aren't currently being used and to allow comments to be placed inline in the search. Any of these formats would be sensible:
|comment
|rem
|#
or even
||
for instance:

index=main source=df
|rex field=_raw "(?\w\S)\shas\s(?\d{1,2})\%\sfree" max_match=10
| eval disk-pctfree = mvzip(disk, pctfree) | mvexpand disk-pctfree |fields host, disk-pctfree | rex field=disk-pctfree "(?\w\S),(?\d{1,2})" |stats min(pctfree) by host, disk | sort by min(pctfree) | rename min(pctfree) as "Minimum % Free"
| search "Minimum % Free"<11

|comment begin exclusions
|search NOT ( host=hostname1 AND disk=D: )
|search NOT ( host=hostname2 AND disk=D: )
|search NOT ( host=hostname3 AND disk=C: )
|comment use this method to set an alternate minimum: search NOT ( host=hostname4 AND disk=E: AND "Minimum % Free">5 )

Re: Add a comment to a search?

edonze — Thu, 21 Mar 2013 17:18:24 GMT

The html style comment did not parse properly. It shows up as two pipes instead of pipe less than bang dash dash comment dash dash greater than pipe.