Getting Data In
Highlighted

Proper formatting (identation) of queries in savedsearches.conf stanza causes everything after the first | pipe to be ignored

Path Finder

Hi splunkers,

I'm convinced that following clean code principles starts with proper indentation.

That's why all my Splunk Queries are formatted using CMD + Shift + F after i write them. This gets you from this:

index="application_snow_pr" sourcetype="snow:incident" opened_at!=""  correlation_id!="" priority=2 earliest=-1d@d latest=@d | eval previousdate = relative_time( relative_time(now(), "@d") , "-1d") | eval opened_atepoc = strptime(opened_at, "%Y-%m-%d %H:%S") | where opened_atepoc>=previousdate | sistats dc(correlation_id) by it_product | eval _time = relative_time( relative_time(now(), "@d") , "-1d")

to this:

index="application_snow_pr" sourcetype="snow:incident" opened_at!="" correlation_id!="" priority=2 earliest=-1d@d latest=@d 
| eval previousdate = relative_time( relative_time(now(), "@d") , "-1d") 
| eval opened_atepoc = strptime(opened_at, "%Y-%m-%d %H:%S") 
| where opened_atepoc>=previousdate 
| sistats dc(correlation_id) by it_product 
| eval _time = relative_time( relative_time(now(), "@d") , "-1d")

It's 100% the same query, but it's much more understandable.

However, if you use the formatted query in a savedsearches.conf stanza, you are going to find out that the savedsearch in Splunk will only reflect everything BEFORE the first Pipe |

In this particular example, only the following part of the query is stored in Splunk on the Search Head:

 index="application_snow_pr" sourcetype="snow:incident" opened_at!="" correlation_id!="" priority=2 earliest=-1d@d latest=@d 

Question:

Is there a way to keep formatting clean in the savedsearches.conf stanza's, but also escaping the newline characters, so the savedsearch in Splunk will execute the full search, instead of only executing the part before the first PIPE?

I could go and just rewrite (remove all whitespaces and formatting from the queries) the whole conf file, but it has well over a 100 saved searches already.

0 Karma
Highlighted

Re: Proper formatting (identation) of queries in savedsearches.conf stanza causes everything after the first | pipe to be ignored

Path Finder

I'm resolving this issue by removing the line breaks from all saved searches.
Easiest way to do it is to use a tool, e.g. http://removelinebreaks.net/ where i can Convert line breaks to None and Convert paragraphs to No paragraph.

This is just a workaround, it doesn't take away the fact that the stanza's are not meant/ cannot handle/ deal with line breaks in queries.

0 Karma
Highlighted

Re: Proper formatting (identation) of queries in savedsearches.conf stanza causes everything after the first | pipe to be ignored

SplunkTrust
SplunkTrust

"stanza's are not meant/ cannot handle/ deal with line breaks in queries" is false. There are hundreds of searches with line breaks in savedsearches.conf. See $SPLUNKHOME/etc/apps/splunkinstrumentation/default/savedsearches.conf for examples.

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: Proper formatting (identation) of queries in savedsearches.conf stanza causes everything after the first | pipe to be ignored

SplunkTrust
SplunkTrust

The solution, as you hinted, is to escape newline characters in the search. Put a \\ at the end of each line (except the last) of the SPL.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.