Splunk Search

VIM syntax highlighting for splunk config files

yoho
Contributor

Just wanted to share with the community the plugin and syntax highlighter I've made for VIM.

To enable syntax highlighting just drop the first file "splunk.vim (syntax)" in ~/.vim/syntax/ folder (create it if non-existing). To enable auto-detection of splunk configuration files drop the second file "splunk.vim (ftdetect)" in ~/.vim/ftdetect/ folder (and again, create it if non-existing).

splunk.vim (syntax)

 " For version 5.x: Clear all syntax items
 " For version 6.x: Quit when a syntax file was already loaded
 if version < 600
   syntax clear
 elseif exists("b:current_syntax")
   finish
 endif

 " shut case off
 syn case ignore

 " Everything before an equal sign
 syn match  splunkLabel          "^.\{-}="

 " Exception to the previous splunkLabel for search statements
 syn match splunkSearchLabel "^\s*search.\{-}=" skipwhite nextgroup=splunkSearchStatement
 syn match splunkSearchStatement ".*$" contains=splunkSearchLabel,splunkPipe contained
 syn match splunkPipe "|" contained nextgroup=@splunkKeywords skipwhite

 " cluster of all search keywords
 syn cluster splunkKeywords contains=splunkCorrelation,splunkViewData,splunkManageData,splunkManagesummaryindexes,splunkAddfields,splunkExtractfields,splunkModifyfieldsandfieldvalues,splunkFindanomalies,splunkGeoipandlocation,splunkPredictionandtrending,splunkReports,splunkAlerting,splunkAppend,splunkFilter,splunkFormat,splunkGenerate,splunkGroup,splunkReorder,splunkRead,splunkWrite,splunkSearch,splunkSubsearch

 " search keywords by category, taken from the online doc
 syn keyword splunkCorrelation append appendcols appendpipe arules associate contingency correlate diff join lookup selfjoin set stats transaction contained
 syn keyword splunkViewData audit datamodel dbinspect eventcount metadata typeahead contained
 syn keyword splunkManageData crawl delete input contained
 syn keyword splunkManagesummaryindexes collect stash overlap sichart sirare Summary sistats sitimechart sitop Summary contained
 syn keyword splunkAddfields accum addinfo addtotals delta eval iplocation lookup multikv rangemap relevancy strcat contained
 syn keyword splunkExtractfields erex extract kv kvform rex spath xmlkv contained
 syn keyword splunkModifyfieldsandfieldvalues convert filldown fillnull makemv nomv reltime rename replace  contained
 syn keyword splunkFindanomalies analyzefields af anomalies anomalousvalue cluster kmeans outlier rare  contained
 syn keyword splunkGeoipandlocation iplocation geostats  contained
 syn keyword splunkPredictionandtrending predict trendline x11 contained
 syn keyword splunkReports addtotals bucket bin discretize chart contingency counttable ctable correlate eventcount eventstats gauge makecontinuous outlier rare stats streamstats timechart top trendline untable xyserie contained
 syn keyword splunkAlerting sendemail        contained
 syn keyword splunkAppend append appendcols join selfjoin contained
 syn keyword splunkFilter dedup fields mvcombine regex searchtxn table uniq where contained
 syn keyword splunkFormat untable xyseries contained
 syn keyword splunkGenerate gentimes loadjob mvexpand savedsearch search contained
 syn keyword splunkGroup cluster kmeans mvexpand transaction typelearner typer contained
 syn keyword splunkReorder head reverse sort tail contained
 syn keyword splunkRead inputcsv inputlookup loadjob contained
 syn keyword splunkWrite outputcsv outputlookup outputtext sendemail contained
 syn keyword splunkSearchStatement map search sendemail localop contained
 syn keyword splunkSubsearch append appendcols appendpipe format join return set syn keyword splunkTime gentimes localize reltime contained

 syn region splunkHeader         start="^\[" end="\]"
 syn match  splunkComment        "^#.*$"

 " Define the default highlighting.
 " For version 5.7 and earlier: only when not done already
 " For version 5.8 and later: only when an item doesn't have highlighting yet
 if version >= 508 || !exists("did_splunk_syntax_inits")
   if version < 508
     let did_splunk_syntax_inits = 1
     command -nargs=+ HiLink hi link <args>
   else
     command -nargs=+ HiLink hi def link <args>
   endif

         HiLink splunkHeader     Special
         HiLink splunkComment    Comment
         HiLink splunkLabel      Type
         HiLink splunkSearchLabel      Type
         HiLink splunkPipe       Special
         HiLink splunkCorrelation Statement
         HiLink splunkViewData Statement
         HiLink splunkManageData Statement
         HiLink splunkManagesummaryindexes Statement
         HiLink splunkAddfields Statement
         HiLink splunkExtractfields Statement
         HiLink splunkModifyfieldsandfieldvalues Statement
         HiLink splunkFindanomalies Statement
         HiLink splunkGeoipandlocation Statement
         HiLink splunkPredictionandtrending Statement
         HiLink splunkReports Statement
         HiLink splunkAlerting Statement
         HiLink splunkAppend Statement
         HiLink splunkFilter Statement
         HiLink splunkFormat Statement
         HiLink splunkGenerate Statement
         HiLink splunkGroup Statement
         HiLink splunkReorder Statement
         HiLink splunkRead Statement
         HiLink splunkWrite Statement
         HiLink splunkSearch Statement
         HiLink splunkSubsearch Statement

   delcommand HiLink
 endif

 let b:current_syntax = "splunk"

 " vim:ts=8

splunk.vim (ftdetect)

 au BufRead,BufNewFile admon.conf,alert_actions.conf,app.conf,
   \audit.conf,authentication.conf,authorize.conf,commands.conf,crawl.conf,
   \default.meta.conf,default-mode.conf,deployment.conf,deploymentclient.conf,
   \distsearch.conf,eventdiscoverer.conf,eventgen.conf,
   \event_renderers.conf,eventtypes.conf,
   \fields.conf,indexes.conf,inputs.conf,instance.cfg.conf,limits.conf,
   \literals.conf,macros.conf,multikv.conf,outputs.conf,pdf_server.conf,
   \procmon-filters.conf,props.conf,pubsub.conf,regmon-filters.conf,restmap.conf,
   \savedsearches.conf,searchbnf.conf,
   \segmenters.conf,server.conf,serverclass.conf,serverclass.seed.xml.conf,
   \setup.xml.conf,source-classifier.conf,sourcetypes.conf,
   \splunk-launch.conf,tags.conf,tenants.conf,times.conf,transactiontypes.conf
   \transforms.conf,user-seed.conf,viewstates.conf,web.conf,
   \wmi.conf,workflow_actions.conf 
   \ setfiletype splunk
Tags (3)
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

This is very nice work! However, the moderator in me goes - that's not a question. So how can it be answered? This might help:

Summertime, that sweet sultry seductress, calls to me, beckons me, tempts me. As the dandelion wisps float majestically upon the warm breeze, so does my affinity to stay outside. We were not meant for the indoor life. We crave the sun, we crave the rain, we crave the meaning of our short existence. Perhaps then, could we find meaning in the rain, or the sun? Daringly, I ask: that upon the time of which you find yourself within the rain ( more obtusely said then meant ), Stop. Feel the Rain. Feel the drops of heavenly nectar upon our skin. Feel the emotion of the rain. Feel Alive. For when it is only when we Feel Alive, then we know that we are living.

View solution in original post

Yorokobi
SplunkTrust
SplunkTrust

gabriel_vasseur
Contributor

The link is broken: add the missing "k" at the end to make it work.

0 Karma

yoho
Contributor

Yes this is clearly a level above what I'm able to produce. Congrats !

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

This is very nice work! However, the moderator in me goes - that's not a question. So how can it be answered? This might help:

Summertime, that sweet sultry seductress, calls to me, beckons me, tempts me. As the dandelion wisps float majestically upon the warm breeze, so does my affinity to stay outside. We were not meant for the indoor life. We crave the sun, we crave the rain, we crave the meaning of our short existence. Perhaps then, could we find meaning in the rain, or the sun? Daringly, I ask: that upon the time of which you find yourself within the rain ( more obtusely said then meant ), Stop. Feel the Rain. Feel the drops of heavenly nectar upon our skin. Feel the emotion of the rain. Feel Alive. For when it is only when we Feel Alive, then we know that we are living.

proletariat99
Communicator

Naw, he's just following the jeopardy model. Incidentally, I had already asked the question here: http://answers.splunk.com/answers/121749/search-syntax-highlighting

I consider it answered over here. Awesome. Thanks!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Yes, I believe that is "best practice" to create a "fake" question and answer it yourself. The only mako I know of is a shark. Happy Vim-ing!

yoho
Contributor

I accept the answer 🙂

Maybe I should have created a fake question like "How can make vim highlight the syntax in splunk config files ?"

I've also made an attempt to highlight mako template files but it's quite difficult because mako instructions are mixed with HTML language. Maybe I'll post the files also when I find them mature enough.

MuS
Legend

can't wait to see, how your answers will look tomorrow 😉

MuS
Legend

Nice work! thanks

0 Karma

koppolu17
Explorer

WoW!!
I started following you now. Upvoted answer below.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...