Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Commenting Search Code

reed_kelly
Contributor
‎11-06-2012 06:25 AM

I would like to add comments to my searches, saved searches, macros and just about anywhere that I write search syntax. I have searches that have dozens of lines and they still call macros to organize the syntax and reduce duplication.

I thought of adding a bunch of evals:

...| eval comment="Added splunk_server check to reduce load on slow indexers..."

But this has side effects and causes a slight increase in resource consumption.

Does anyone have a more elegant way to comment search code?

Reply
1 Solution
Solved! Jump to solution
Solution

GregZillgitt
Path Finder
‎05-22-2014 11:40 AM

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:

import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:

[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

View solution in original post

Reply
Solved! Jump to solution

keiichilam
Explorer
‎07-08-2015 01:03 AM

some extra cost in execution:
index=_internal * |head 1 | COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST| COMMENT TEST

Duration (seconds) Component Invocations Input count Output count
0.23 command.COMMENT 5 5 5

But This is really nice!

0 Karma
Reply
Solved! Jump to solution
Solution

GregZillgitt
Path Finder
‎05-22-2014 11:40 AM

I created a do-nothing "comment.py" (and associated commands.conf stanza), dropped it into the search app's bin directory, and voila! Now I can do this:

... some commands | COMMENT This is a comment | ... more commands

Here's comment.py:

import splunk.Intersplunk

def docomment(results, settings):
    # do nothing
    splunk.Intersplunk.outputResults(results)

results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = docomment(results, settings)

commands.conf:

[comment]
retainsevents = true
streaming = true
filename = comment.py

That's it!

Quick & dirty deploy: drop comment.py in $SPLUNK__HOME/etc/apps/search/bin, commands.conf in $SPLUNK_HOME/etc/apps/search/local, and restart.

Probably should be packaged in its own app using the new templated approach.

Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎10-13-2015 02:28 PM

Unfortunately, this approach means that the comment command ends up de-serializing and re-serializing every event from and to CSV in python. That's in general fairly costly.

A macro based approach would be best. Basically define a comment macro that evaluates to the empty string regardless of the input argument.

0 Karma
Reply
Solved! Jump to solution

lstewart_splunk
Splunk Employee
Splunk Employee
‎10-13-2015 02:33 PM

And a macro method is documented here:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎05-22-2014 12:42 PM

This is a great solution to the problem, so I gave it the check! I would still like to see a native solution from Splunk, however. For example, I might want to do something like the following to comment pieces of a SPL. (similar to C-style)

| timechart \/*limit=20*\/ limit=5 span=\/*5m*\/10m count by sourcetype

Reply
Solved! Jump to solution

snoobzilla
Builder
‎01-30-2015 06:28 AM

Would this approach add noticeable overhead?

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 08:24 AM

I found another thread on this with useful suggestions:

http://splunk-base.splunk.com/answers/48865/add-a-comment-to-a-search

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 07:09 AM

It would also be nice to be able to comment out a section of a search without deleting the original text. This may come in handy for a quick fix.

I think I should file an enhancement request. I was just fishing for ideas in the mean time.

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎11-06-2012 07:04 AM

Thanks. I want something that is a first-class citizen in the search command so that it is also passed to alert scripts and other Splunk things. It would also be nice to be able to copy and paste the entire search and know that you were grabbing the comments as well.

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎11-06-2012 06:54 AM

This isn't an answer per se, but I typically comment the search strings or macros within macros.conf itself, or perhaps the XML of a view / dashboard definition.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...