Prevent query autoformat from deleting empty lines

d_o_c · ‎09-05-2019

It can enhance query readability to separate large queries into their logical components using empty lines:

index = events
`comment("find and filter events")`
| ...
| ...
| ...

`comment("derive statistics of type A")`
| ...
| ...

`comment("derive statistics of type B")`
| ...
| ...

`comment("sort and format the results")`
| ...
| ...

But the Splunk search's auto-format removes empty lines. I'd like to prevent that. Is there a way to retain all auto-format functionality EXCEPT for deleting empty lines?

If that's impossible, I'd like to find the minimum "filler-text" which I could use to separate logical blocks of a search.
Right now my only candidates are empty comments and noop.

`comment("")`
| noop

Are there any better alternatives? I'm also suspicious that "noop" might not be benign.
I'm using Splunk Enterprise 7.3.0

DalJeanis · ‎09-05-2019

| rename COMMENT as "my comment"

but it's not any better.

Prevent query autoformat from deleting empty lines

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Prevent query autoformat from deleting empty lines

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions