It can enhance query readability to separate large queries into their logical components using empty lines:
index = events
`comment("find and filter events")`
| ...
| ...
| ...
`comment("derive statistics of type A")`
| ...
| ...
`comment("derive statistics of type B")`
| ...
| ...
`comment("sort and format the results")`
| ...
| ...
But the Splunk search's auto-format removes empty lines. I'd like to prevent that. Is there a way to retain all auto-format functionality EXCEPT for deleting empty lines?
If that's impossible, I'd like to find the minimum "filler-text" which I could use to separate logical blocks of a search.
Right now my only candidates are empty comments and noop.
`comment("")`
| noop
Are there any better alternatives? I'm also suspicious that "noop" might not be benign.
I'm using Splunk Enterprise 7.3.0
↧