Splunk Search

Add a comment to a search?

Jason
Motivator

I'm working on a really large search right now (on the order of 35 lines long). Is there a good way to insert a comment into a search query to remind a future search editor what is going on?

There doesn't seem to be a | comment command.

perhaps | rex field=bogus "This could be a comment" ?

1 Solution

glureau
Engager

Updated Answer for Splunk 6.5.0+

`comment("THIS IS A COMMENT")` 

http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Addcommentstosearches

Example from the documentation :

source=usgs `comment("source is the us geological service (usgs)")`
| eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", 
  depth>300, "Deep") 
  `comment("Creates field Description. Case function specifies earthquake 
  depths, returns Description values - Shallow, Mid, Deep.")`
| stats count min(mag) max(mag) `comment("Counts earthquakes, displays min 
  and max magnitudes")` BY Description 

View solution in original post

lpolo
Motivator

We use a SVN repository to document all our Splunk queries we have in production.

0 Karma

kmattern
Builder

There is one way that does work and it's pretty simple. Place a rename function at the very end of the search and put all your comments in one long string inside double quotes. Here is the end of a 21 line search followed by a comment:

| table Servers,Access_Status,Access,TM,TD,TDB,MB
| rename comment AS "This is a comment. 
1. The search should run
2. none of this comment should show"

The search runs but the comment does not show.

DBrenman
Engager

I downvoted this post because outdated solution.

0 Karma

lstewart_splunk
Splunk Employee
Splunk Employee

I downvoted this post because oct 2016 - rename is not the best way to do this any more.
in 6.4 and earlier versions you can create a simple macro to insert comments. as documented here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Search/Addcommentstosearches
in 6.5.0 there is now a built in macro that you can invoke in your searches, as documented here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches

lstewart_splunk
Splunk Employee
Splunk Employee

I have fixed the links

0 Karma

joshualarkins
Explorer

@lstewart_splunk, your links don't work

kmattern
Builder

I would think it uses fewer clocks than the eval.

0 Karma

Jason
Motivator

Nice. This looks like the least work for Splunk to do as part of a search

0 Karma

araitz
Splunk Employee
Splunk Employee

Clever! I like it.

0 Karma

Jason
Motivator

or maybe | rex field=comment "(?#This is a comment)" ?

0 Karma

araitz
Splunk Employee
Splunk Employee

That's a pretty cool idea! Today, I don't think there is any such mechanism, and I wouldn't recommend using rex as such 🙂

0 Karma

_d_
Splunk Employee
Splunk Employee

...and then make a long search even longer 🙂

0 Karma

araitz
Splunk Employee
Splunk Employee

Agreed, macros can get pretty confusing and there is no way to in-line comment searches, which would be very cool.

0 Karma

Jason
Motivator

But the question of how to best add a comment to a search, in the absence of a |comment, is still open.

0 Karma

Jason
Motivator

Makes sense. Multiple macros can get very confusing, especially multiple levels of them, to anyone trying to maintain or edit a search. However, the search does have three sections that are repeated, so I will attempt to put that in a single macro.

0 Karma

araitz
Splunk Employee
Splunk Employee

I try to use macros when possible and give both the macros and saved searches names that strongly bely what purpose they serve.

Jason
Motivator

What would you recommend then?

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...