Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Commenting Search Code

reed_kelly
Contributor
‎11-06-2012 06:25 AM

I would like to add comments to my searches, saved searches, macros and just about anywhere that I write search syntax. I have searches that have dozens of lines and they still call macros to organize the syntax and reduce duplication.

I thought of adding a bunch of evals:

...| eval comment="Added splunk_server check to reduce load on slow indexers..."

But this has side effects and causes a slight increase in resource consumption.

Does anyone have a more elegant way to comment search code?

Reply
1 Solution
Solved! Jump to solution
Solution

GregZillgitt
Path Finder
‎05-22-2014 11:40 AM

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:

import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:

[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

View solution in original post

Reply
Solved! Jump to solution

keiichilam
Explorer
‎07-08-2015 01:03 AM

some extra cost in execution:
index=_internal * |head 1 | COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST

Duration (seconds) Component Invocations Input count Output count
0.23 command.COMMENT 5 5 5

But This is really nice!

0 Karma
Reply
Solved! Jump to solution
Solution

GregZillgitt
Path Finder
‎05-22-2014 11:40 AM

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:

import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:

[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎10-13-2015 02:28 PM

Unfortunately, this approach means that the comment command ends up de-serializing and re-serializing every event from and to CSV in python. That's in general fairly costly.

A macro based approach would be best. Basically define a comment macro that evaluates to the empty string regardless of the input argument.

0 Karma
Reply
Solved! Jump to solution

lstewart_splunk
Splunk Employee
Splunk Employee
‎10-13-2015 02:33 PM

And a macro method is documented here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎05-22-2014 12:42 PM

This is a great solution to the problem, so I gave it the check! I would still like to see a native solution from Splunk, however. For example, I might want to do something like the following to comment pieces of a SPL. (similar to C-style)

| timechart \/*limit=20*\/ limit=5 span=\/*5m*\/10m count by sourcetype

Reply
Solved! Jump to solution

snoobzilla
Builder
‎01-30-2015 06:28 AM

Would this approach add noticeable overhead?

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 08:24 AM

I found another thread on this with useful suggestions:

http://splunk-base.splunk.com/answers/48865/add-a-comment-to-a-search

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 07:09 AM

It would also be nice to be able to comment out a section of a search without deleting the original text. This may come in handy for a quick fix.

I think I should file an enhancement request. I was just fishing for ideas in the mean time.

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 07:04 AM

Thanks. I want something that is a first-class citizen in the search command so that it is also passed to alert scripts and other Splunk things. It would also be nice to be able to copy and paste the entire search and know that you were grabbing the comments as well.

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎11-06-2012 06:54 AM

This isn't an answer per se, but I typically comment the search strings or macros within macros.conf itself, or perhaps the XML of a view / dashboard definition.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top