Formatting Splunk searches

Line breaks prevent formatting issues by allowing control over where breaks occur, especially in long lines of code or search commands.

Splunk documentation includes search commands. Long lines of code formatted inside of a code phrase don't always fit a reader's set page width and can cause formatting issues. If a line of code is long, use a code block instead of an inline code phrase so that you can control where line breaks occur. If you need to display the results of a search, use a search results table.

Line breaking for search commands

When writing a search command or long line of code inside of a code block, prioritize the line breaks based on the following list:

  1. Before a pipe ( | )

  2. At a space

  3. Before an opening parenthesis ( ( ) or left bracket ( [ )

  4. After a closing parenthesis ( ) ) or right bracket ( ] )

  5. Before or after an equal sign ( = )

  6. Before or after any equation symbol, such as an asterisk ( * ), forward slash ( / ), plus sign ( + ), greater than symbol ( > ), less than symbol ( < ), or minus sign ( - )

  7. After a dot ( . ), such as in a URL

Search command example

Consider the following search: 
sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count, distinct_count(productId), values(productId) by clientip

Because this search is longer than 1 line, place it inside of a code block. The logical place to break this line is between clientip=87.194.216.51 and | stats, rather than between count, and distinct_count(productId).

The line break appears as follows: 

sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 
| stats count, distinct_count(productId), values(productId) by clientip

Search result example

Suppose you provide a search command, and you want to display the results of the search so the user knows what to expect. Provide the results in a search table, like in the following example:

categoryId count percent
STRATEGY 806 30.495649
ARCADE 493 18.653046
TEE 367 13.885736
ACCESSORIES 348 13.166856
SIMULATION 246 9.307605
SHOOTER 245 9.269769
SPORTS 138 5.221339

For more information on formatting searches and other forms of code in Splunk documentation, see Formatting reference.