I'd like to make comments an enhancement request for Splunk so that comments could be placed throughout the search without affecting it from the current pipe through the next pipe, both to disable portions of the search that aren't currently being used and to allow comments to be placed inline in the search. Any of these formats would be sensible:
|comment
|rem
|#
or even
|<!-- comment -->|
for instance:
index=main source=df
|rex field=_raw "(? \w\S)\shas\s(? \d{1,2})\%\sfree" max_match=10
| eval disk-pctfree = mvzip(disk, pctfree) | mvexpand disk-pctfree |fields host, disk-pctfree | rex field=disk-pctfree "(? \w\S),(? \d{1,2})" |stats min(pctfree) by host, disk | sort by min(pctfree) | rename min(pctfree) as "Minimum % Free"
| search "Minimum % Free"<11
|comment begin exclusions
|search NOT ( host=hostname1 AND disk=D: )
|search NOT ( host=hostname2 AND disk=D: )
|search NOT ( host=hostname3 AND disk=C: )
|comment use this method to set an alternate minimum: search NOT ( host=hostname4 AND disk=E: AND "Minimum % Free">5 )
... View more