Splunk Search
Highlighted

Add a comment to a search?

Motivator

I'm working on a really large search right now (on the order of 35 lines long). Is there a good way to insert a comment into a search query to remind a future search editor what is going on?

There doesn't seem to be a | comment command.

perhaps | rex field=bogus "This could be a comment" ?

Highlighted

Re: Add a comment to a search?

Splunk Employee
Splunk Employee

That's a pretty cool idea! Today, I don't think there is any such mechanism, and I wouldn't recommend using rex as such 🙂

0 Karma
Highlighted

Re: Add a comment to a search?

Motivator

What would you recommend then?

0 Karma
Highlighted

Re: Add a comment to a search?

Splunk Employee
Splunk Employee

I try to use macros when possible and give both the macros and saved searches names that strongly bely what purpose they serve.

Highlighted

Re: Add a comment to a search?

Motivator

Makes sense. Multiple macros can get very confusing, especially multiple levels of them, to anyone trying to maintain or edit a search. However, the search does have three sections that are repeated, so I will attempt to put that in a single macro.

0 Karma
Highlighted

Re: Add a comment to a search?

Motivator

But the question of how to best add a comment to a search, in the absence of a |comment, is still open.

0 Karma
Highlighted

Re: Add a comment to a search?

Splunk Employee
Splunk Employee

Agreed, macros can get pretty confusing and there is no way to in-line comment searches, which would be very cool.

0 Karma
Highlighted

Re: Add a comment to a search?

Splunk Employee
Splunk Employee

...and then make a long search even longer 🙂

0 Karma
Highlighted

Re: Add a comment to a search?

Motivator

or maybe | rex field=comment "(?#This is a comment)" ?

0 Karma
Highlighted

Re: Add a comment to a search?

Builder

There is one way that does work and it's pretty simple. Place a rename function at the very end of the search and put all your comments in one long string inside double quotes. Here is the end of a 21 line search followed by a comment:

| table Servers,Access_Status,Access,TM,TD,TDB,MB
| rename comment AS "This is a comment. 
1. The search should run
2. none of this comment should show"

The search runs but the comment does not show.