Dashboards & Visualizations

Why is Splunk Search Assistant highlighting certain words from my description in green color?

umairahmad3985
Path Finder

I am using searchbnf.conf file to provide help on my custom search commands but the search assistant is highlighting certain words from my description in green color which is not intended. How can I disable this or are there any escape characters I can use to ask Splunk to not highlight this?

Here's what my search assistant is showing:
alt text

And here is the entry in my searchbnf.conf file:

[snxapiquota-command]
syntax = snxapiquota
description = Find information about your API quota, like current usage, quota left etc.
example = | snxapiquota
usage = public

thambisetty
SplunkTrust
SplunkTrust

That’s because the command is not developed by Splunk. Its 3rd party command.

————————————
If this helps, give a like below.
0 Karma

malvidin
Communicator

I think there is a misunderstanding. This is a discussion on how the Splunk searchbnf.conf parser has undocumented and unwanted behavior, not about any particular app or any 3rd party commands.

0 Karma

malvidin
Communicator

For the highlighting, it appears that it has affected Splunk as well.  You can look at the shelper response to see the raw text, so the highlighting appears to be in the browser, not in the backend.

 

 

Note: if you want to use the "or" ("|") command

regex (field("="|"!="))?((\")?string(\")?)

 

 

malvidin_1-1596814209209.png

 

 

 

 

 

If you look at the chart command, it does the same to the BY/OVER that is capitalized in the source.

malvidin_0-1596815378048.png

 

0 Karma

lstewart_splunk
Splunk Employee
Splunk Employee

The default searchbnf.conf file located here in $SPLUNK_HOME/etc/system/default

Says this:

UPPERCASETERMS and quoted terms are put into <code/>

So when you have something like CSV, PDF, "myindex" the text appears in green color.

Sincerely,

Laura Stewart

Principal Technical Writer – Search Processing Language (SPL)

malvidin
Communicator

That is there, under the "DESCRIPTION FORMATTING" section.

The earlier "FORMATTING" section states to use \" to represent a quote. This is not directly aligned with the Description Formatting and does not work in a description.

The "\" is also shown as "\\", which is not documented.

Based on the descriptions shown above that were written by Splunk, it appears that this behavior was not understood by Splunk authors, or the parsing behavior changed and the descriptions were not updated.

The only concern I have with @lstewart_splunk's accurate answer, is that the current behavior breaks the description syntax for stock Splunk commands, as shown above for regex.  The Splunk authors for the regex syntax apparently expected that (\")?string(\")? would be shown as (")?string(")?, but instead, it is strangely highlighted.

0 Karma

malvidin
Communicator

It appears to happen with all uppercase words. I have not found a way around it yet.

0 Karma

malvidin
Communicator

I tried the following, with no luck.

AAAA _BBBB_ \CCCC "DDDD" 'EEEE' `FFFF`

uppercase_highlight.png

 I was surprised to see backslashes escaped, and the underscore after BBBB is highlighted but the underscore after is not. 

 

0 Karma

malvidin
Communicator

I replicated this issue with Splunk versions 7.2 and 8.0.

0 Karma

anmolpatel
Builder

@umairahmad3985 unable to replicate it on Splunk7.3.4. What Splunk version are you running ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...