Hi splunkers,

I'm convinced that following clean code principles starts with proper indentation.

That's why all my Splunk Queries are formatted using CMD + Shift + F after i write them. This gets you from this:

index="application_snow_pr" sourcetype="snow:incident" opened_at!=""  correlation_id!="" priority=2 earliest=-1d@d latest=@d | eval previousdate = relative_time( relative_time(now(), "@d") , "-1d") | eval opened_atepoc = strptime(opened_at, "%Y-%m-%d %H:%S") | where opened_atepoc>=previousdate | sistats dc(correlation_id) by it_product | eval _time = relative_time( relative_time(now(), "@d") , "-1d")

to this:

index="application_snow_pr" sourcetype="snow:incident" opened_at!="" correlation_id!="" priority=2 earliest=-1d@d latest=@d 
| eval previousdate = relative_time( relative_time(now(), "@d") , "-1d") 
| eval opened_atepoc = strptime(opened_at, "%Y-%m-%d %H:%S") 
| where opened_atepoc>=previousdate 
| sistats dc(correlation_id) by it_product 
| eval _time = relative_time( relative_time(now(), "@d") , "-1d")

It's 100% the same query, but it's much more understandable.

However, if you use the formatted query in a savedsearches.conf stanza, you are going to find out that the savedsearch in Splunk will only reflect everything BEFORE the first Pipe |

In this particular example, only the following part of the query is stored in Splunk on the Search Head:

 index="application_snow_pr" sourcetype="snow:incident" opened_at!="" correlation_id!="" priority=2 earliest=-1d@d latest=@d 

Question:

Is there a way to keep formatting clean in the savedsearches.conf stanza's, but also escaping the newline characters, so the savedsearch in Splunk will execute the full search, instead of only executing the part before the first PIPE?

I could go and just rewrite (remove all whitespaces and formatting from the queries) the whole conf file, but it has well over a 100 saved searches already.