Prevent query autoformat from deleting empty lines

d_o_c · ‎09-05-2019

It can enhance query readability to separate large queries into their logical components using empty lines:

index = events
`comment("find and filter events")`
| ...
| ...
| ...

`comment("derive statistics of type A")`
| ...
| ...

`comment("derive statistics of type B")`
| ...
| ...

`comment("sort and format the results")`
| ...
| ...

But the Splunk search's auto-format removes empty lines. I'd like to prevent that. Is there a way to retain all auto-format functionality EXCEPT for deleting empty lines?

If that's impossible, I'd like to find the minimum "filler-text" which I could use to separate logical blocks of a search.
Right now my only candidates are empty comments and noop.

`comment("")`
| noop

Are there any better alternatives? I'm also suspicious that "noop" might not be benign.
I'm using Splunk Enterprise 7.3.0

DalJeanis · ‎09-05-2019

| rename COMMENT as "my comment"

but it's not any better.

Prevent query autoformat from deleting empty lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Prevent query autoformat from deleting empty lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform