Solved: Re: Add a comment to a search? - Page 2

Jason · ‎05-24-2012

I'm working on a really large search right now (on the order of 35 lines long). Is there a good way to insert a comment into a search query to remind a future search editor what is going on?

There doesn't seem to be a | comment command.

perhaps | rex field=bogus "This could be a comment" ?

glureau · ‎10-20-2016

Updated Answer for Splunk 6.5.0+

`comment("THIS IS A COMMENT")`

http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Addcommentstosearches

Example from the documentation :

source=usgs `comment("source is the us geological service (usgs)")`
| eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", 
  depth>300, "Deep") 
  `comment("Creates field Description. Case function specifies earthquake 
  depths, returns Description values - Shallow, Mid, Deep.")`
| stats count min(mag) max(mag) `comment("Counts earthquakes, displays min 
  and max magnitudes")` BY Description

View solution in original post

lpolo · ‎05-25-2012

We use a SVN repository to document all our Splunk queries we have in production.

kmattern · ‎05-24-2012

There is one way that does work and it's pretty simple. Place a rename function at the very end of the search and put all your comments in one long string inside double quotes. Here is the end of a 21 line search followed by a comment:

| table Servers,Access_Status,Access,TM,TD,TDB,MB
| rename comment AS "This is a comment. 
1. The search should run
2. none of this comment should show"

The search runs but the comment does not show.

DBrenman · ‎06-12-2017

I downvoted this post because outdated solution.

lstewart_splunk · ‎10-20-2016

I downvoted this post because oct 2016 - rename is not the best way to do this any more.
in 6.4 and earlier versions you can create a simple macro to insert comments. as documented here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Search/Addcommentstosearches
in 6.5.0 there is now a built in macro that you can invoke in your searches, as documented here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches

lstewart_splunk · ‎06-13-2017

I have fixed the links

joshualarkins · ‎12-22-2016

@lstewart_splunk, your links don't work

kmattern · ‎05-25-2012

I would think it uses fewer clocks than the eval.

Jason · ‎05-25-2012

Nice. This looks like the least work for Splunk to do as part of a search

araitz · ‎05-24-2012

Clever! I like it.

Jason · ‎05-24-2012

or maybe | rex field=comment "(?#This is a comment)" ?

araitz · ‎05-24-2012

That's a pretty cool idea! Today, I don't think there is any such mechanism, and I wouldn't recommend using rex as such 🙂

_d_ · ‎05-24-2012

...and then make a long search even longer 🙂

araitz · ‎05-24-2012

Agreed, macros can get pretty confusing and there is no way to in-line comment searches, which would be very cool.

Jason · ‎05-24-2012

But the question of how to best add a comment to a search, in the absence of a |comment, is still open.

Jason · ‎05-24-2012

Makes sense. Multiple macros can get very confusing, especially multiple levels of them, to anyone trying to maintain or edit a search. However, the search does have three sections that are repeated, so I will attempt to put that in a single macro.

araitz · ‎05-24-2012

I try to use macros when possible and give both the macros and saved searches names that strongly bely what purpose they serve.

Jason · ‎05-24-2012

What would you recommend then?

Add a comment to a search?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor