Dashboards & Visualizations

Why is Splunk Search Assistant highlighting certain words from my description in green color?

Path Finder

I am using searchbnf.conf file to provide help on my custom search commands but the search assistant is highlighting certain words from my description in green color which is not intended. How can I disable this or are there any escape characters I can use to ask Splunk to not highlight this?

Here's what my search assistant is showing:
alt text

And here is the entry in my searchbnf.conf file:

syntax = snxapiquota
description = Find information about your API quota, like current usage, quota left etc.
example = | snxapiquota
usage = public

Super Champion

That’s because the command is not developed by Splunk. Its 3rd party command.

If this helps, give a like below.
0 Karma


I think there is a misunderstanding. This is a discussion on how the Splunk searchbnf.conf parser has undocumented and unwanted behavior, not about any particular app or any 3rd party commands.

0 Karma


For the highlighting, it appears that it has affected Splunk as well.  You can look at the shelper response to see the raw text, so the highlighting appears to be in the browser, not in the backend.



Note: if you want to use the "or" ("|") command

regex (field("="|"!="))?((\")?string(\")?)









If you look at the chart command, it does the same to the BY/OVER that is capitalized in the source.



0 Karma

Splunk Employee
Splunk Employee

The default searchbnf.conf file located here in $SPLUNK_HOME/etc/system/default

Says this:

UPPERCASETERMS and quoted terms are put into <code/>

So when you have something like CSV, PDF, "myindex" the text appears in green color.


Laura Stewart

Principal Technical Writer – Search Processing Language (SPL)


That is there, under the "DESCRIPTION FORMATTING" section.

The earlier "FORMATTING" section states to use \" to represent a quote. This is not directly aligned with the Description Formatting and does not work in a description.

The "\" is also shown as "\\", which is not documented.

Based on the descriptions shown above that were written by Splunk, it appears that this behavior was not understood by Splunk authors, or the parsing behavior changed and the descriptions were not updated.

The only concern I have with @lstewart_splunk's accurate answer, is that the current behavior breaks the description syntax for stock Splunk commands, as shown above for regex.  The Splunk authors for the regex syntax apparently expected that (\")?string(\")? would be shown as (")?string(")?, but instead, it is strangely highlighted.

0 Karma


It appears to happen with all uppercase words. I have not found a way around it yet.

0 Karma


I tried the following, with no luck.



 I was surprised to see backslashes escaped, and the underscore after BBBB is highlighted but the underscore after is not. 


0 Karma


I replicated this issue with Splunk versions 7.2 and 8.0.

0 Karma


@umairahmad3985 unable to replicate it on Splunk7.3.4. What Splunk version are you running ?

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...