Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add comments to a search

The most flexible way to add comments to your search strings is to create a macro. You can use the macro multiple times in your search string and multiple times in a single command string. Comments in a search do not impact search performance.

You can create the macro in Splunk Web or, in Splunk Enterprise, by editing the macros.conf file.

Create a comment macro in Splunk Web

  1. In Splunk Web, select Settings > Advanced Search > Search macros.
  2. Verify that App context is set to Search & Reporting (search).
  3. Click New to create a new search macro.
  4. For Destination app, select search.
  5. For Name, type comment(1).
  6. For Definition, type "" (two double quotation marks).
  7. Mark the Use eval-based definition? checkbox.
  8. For Arguments, type text.
  9. Click Save.

Create a comment macro in the macros.conf file

In the macros.conf file, add the following macro.

  args = text
  definition = ""
  iseval = 1

Using the comment macro

You can use the comment macro to add comments anywhere in your search string. The syntax for your comment is `comment("comment text")`.


`comment("THIS IS A COMMENT")`
`comment("This part of the search returns only one value")`

Comments begin and end with the back quote, or grave accent, character.


Adding comments to a search

This search classifies recent earthquakes based on their depth.

| eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300,  "Mid", 
  depth>300, "Deep") 
| stats count min(mag) max(mag) BY Description

When you add inline comments the search is easier to understand.

source=usgs `comment("source is the us geological service (usgs)")`
| eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", 
  depth>300, "Deep") 
  `comment("Creates field Description. Case function specifies earthquake 
  depths, returns Description values - Shallow, Mid, Deep.")`
| stats count min(mag) max(mag) `comment("Counts earthquakes, displays min 
  and max magnitudes")` BY Description 

Consider using uppercase characters for your comments to make them easier to find.

| eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", 
  depth>300, "Deep") 
| stats count min(mag) max(mag) `comment("COUNTS EARTHQUAKES, DISPLAYS MIN AND MAX MAGNITUDES")` BY Description 

Using comments to troubleshoot a search

The following search is attempting to return the bytes for the individual indexes. However, the search has the wrong field in the stats command <split-by clause>.

index=_internal source=*license* type=usage | stats sum(b) BY index

You can comment out portions of your search to help identify problems. Another option is to run the search in Verbose mode. In this search the stats portion of the search is commented out.

index=_internal source=*license* type=usage `comment("| stats sum(b) BY index")`

The results show the correct name for the field. You need to specify idx as the field name instead of index.

index=_internal source=*license* type=usage | stats sum(b) BY idx

(Thanks to Splunk user Runals for this example.)

What's in this section?
Calculate sizes of dynamic fields

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters