Deployment Architecture

Is Syntax Highlighting broken on a Splunk 6.5.2 Search Head Cluster?

pkeller
Contributor

I'm finding that in all my 6.5.2 infrastructure that syntax highlighting is working fine, with the exception of my Search Head Cluster Members. This is pervasive across both my production and my test clusters. Is this perhaps a known issue?

Under user-prefs.conf, search_syntax_highlighting shows a value of 1

Thank you.

1 Solution

jcrabb_splunk
Splunk Employee
Splunk Employee

It works in my 6.5.2 SHC environment. Did you use btool to determine the value in place?

/opt/splunk/bin/splunk btool user-prefs list --debug

====
EDIT
====

To save some digging, I will copy the answer up here. There is a bug where the search syntax highlighting stops working if even just one command stanza in searchbnf.conf does not have syntax property listed/defined. If you search for any instances of searchbnf.conf, do you see any which are not shipped by default? Here are the default ones:

find . -name searchbnf.conf
 ./etc/apps/splunk_archiver/default/searchbnf.conf
 ./etc/system/default/searchbnf.conf

If you do, check if there are any stanzas without a "syntax" setting defined as it will cause this behavior. For any stanza without you can just add anything, really:

syntax = somesyntax

Here is the example from the SPEC file in our docs:

[selfjoin-command]
syntax = selfjoin ()
shortdesc = Join results with itself.
description = Join results with itself. Must specify at least one field to join on.
usage = public
example1 = selfjoin id
comment1 = Joins results with itself on 'id' field.
related = join
tags = join combine unite
*

If you do find one or more without syntax defined, you can either comment out the entire stanza and all its settings OR you can add a syntax.

Jacob
Sr. Technical Support Engineer

View solution in original post

jcrabb_splunk
Splunk Employee
Splunk Employee

It works in my 6.5.2 SHC environment. Did you use btool to determine the value in place?

/opt/splunk/bin/splunk btool user-prefs list --debug

====
EDIT
====

To save some digging, I will copy the answer up here. There is a bug where the search syntax highlighting stops working if even just one command stanza in searchbnf.conf does not have syntax property listed/defined. If you search for any instances of searchbnf.conf, do you see any which are not shipped by default? Here are the default ones:

find . -name searchbnf.conf
 ./etc/apps/splunk_archiver/default/searchbnf.conf
 ./etc/system/default/searchbnf.conf

If you do, check if there are any stanzas without a "syntax" setting defined as it will cause this behavior. For any stanza without you can just add anything, really:

syntax = somesyntax

Here is the example from the SPEC file in our docs:

[selfjoin-command]
syntax = selfjoin ()
shortdesc = Join results with itself.
description = Join results with itself. Must specify at least one field to join on.
usage = public
example1 = selfjoin id
comment1 = Joins results with itself on 'id' field.
related = join
tags = join combine unite
*

If you do find one or more without syntax defined, you can either comment out the entire stanza and all its settings OR you can add a syntax.

Jacob
Sr. Technical Support Engineer

pkeller
Contributor

ahah. Thank you. Yes. Quite a few searchbnf files. The one that splunkd.log is barking about appears to be from a Splunkbase app called Visual SPL. I may remove that one to see if it resolves the issue.

And also .. the Uncaught TypeError: does show up under the inspect console.

0 Karma

pkeller
Contributor

Does the searchbnf bug imply that if I add the entire 'highlight' section to ever non-standard searchbnf config file that this may solve the issue in the interim?

Thanks very much.

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

I believe the issue is if there is a stanza with out a "syntax" setting defined, it will cause this behavior. For any stanza without you can just add anything, really:

syntax = somesyntax

Here is the example from the SPEC file in our docs:

[selfjoin-command]
syntax = selfjoin ()

shortdesc = Join results with itself.
description = Join results with itself. Must specify at least one field to join on.
usage = public
example1 = selfjoin id
comment1 = Joins results with itself on 'id' field.
related = join
tags = join combine unite*

So if you search through the ones you have, for any which is not defined with a syntax you can either comment out the entire thing or add a syntax.

Jacob
Sr. Technical Support Engineer
0 Karma

pkeller
Contributor

Thank you. I updated all searchbnf.conf files that had sections not containing a 'syntax' property with "syntax = foo", and deployed it to the cluster members. All is working fine now.

0 Karma

pkeller
Contributor

Yes. btool shows that the setting is toggled to true.
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf [general]
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf datasets:showInstallDialog = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf infodelivery_enabled = 0
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf infodelivery_show_ad_modal = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf infodelivery_show_configure_modal = 1
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_assistant = compact
/opt/splunk/etc/apps/user-prefs/default/user-prefs.conf search_syntax_highlighting = 1

As does

| rest /servicesNS/user/user-prefs/data/user-prefs/general | stats values(search_syntax_highlighting)

Which shows "true"

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

Ok perfect, just like to confirm that is not a simple solution first. I did find a bug in the mean time, it appears that the search syntax highlighting stops working if one command does not have syntax property in searchbnf.conf. If you search for any instances of searchbnf.conf, do you see any which are not shipped by default?

 find . -name searchbnf.conf
./etc/apps/splunk_archiver/default/searchbnf.conf
./etc/system/default/searchbnf.conf

If they are the default, do you see any errors for "searchbnf" in the splunkd logs which may indicate an issue with the file? Another symptom is you use Chrome and simply enter a search command that should be highlighted (do not run the search) and then you go to the Developer Tools, then Console, you should see an error something like:

Uncaught TypeError:  Cannot read property...
Jacob
Sr. Technical Support Engineer
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...