Archive

Commenting Search Code

Contributor

I would like to add comments to my searches, saved searches, macros and just about anywhere that I write search syntax. I have searches that have dozens of lines and they still call macros to organize the syntax and reduce duplication.

I thought of adding a bunch of evals:

...| eval comment="Added splunk_server check to reduce load on slow indexers..."

But this has side effects and causes a slight increase in resource consumption.

Does anyone have a more elegant way to comment search code?

1 Solution

Path Finder

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:


import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:


[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

View solution in original post

Explorer

some extra cost in execution:
index=_internal * |head 1 | COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST

Duration (seconds) Component Invocations Input count Output count
0.23 command.COMMENT 5 5 5

But This is really nice!

0 Karma

Path Finder

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:


import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:


[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

View solution in original post

Splunk Employee
Splunk Employee

Unfortunately, this approach means that the comment command ends up de-serializing and re-serializing every event from and to CSV in python. That's in general fairly costly.

A macro based approach would be best. Basically define a comment macro that evaluates to the empty string regardless of the input argument.

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Contributor

This is a great solution to the problem, so I gave it the check! I would still like to see a native solution from Splunk, however. For example, I might want to do something like the following to comment pieces of a SPL. (similar to C-style)

| timechart \/*limit=20*\/ limit=5 span=\/*5m*\/10m count by sourcetype

Builder

Would this approach add noticeable overhead?

0 Karma

Contributor

I found another thread on this with useful suggestions:

http://splunk-base.splunk.com/answers/48865/add-a-comment-to-a-search

0 Karma

Contributor

It would also be nice to be able to comment out a section of a search without deleting the original text. This may come in handy for a quick fix.

I think I should file an enhancement request. I was just fishing for ideas in the mean time.

0 Karma

Contributor

Thanks. I want something that is a first-class citizen in the search command so that it is also passed to alert scripts and other Splunk things. It would also be nice to be able to copy and paste the entire search and know that you were grabbing the comments as well.

0 Karma

Splunk Employee
Splunk Employee

This isn't an answer per se, but I typically comment the search strings or macros within macros.conf itself, or perhaps the XML of a view / dashboard definition.

0 Karma