Many people like to write Splunk queries in the Splunk search ‘console’:
I do it all the time too, but I really don’t like the web-based editors too much. Not only they miss lots of features one can get from a decent desktop editor, writing queries in a desktop editor ensures that I keep the copy on file, at least the base version which I can then leverage in the future (in fact, after a while, most of my Splunk queries are basically copypastas of some old queries with some ad hoc mods). Plus, not everyone is using the Splunk version that is offering the highlighting by default (as shown on the screenshot above).
My editor poison of choice is Ultraedit and for a while now I tried to find a wordfile for this program that would allow me to edit Splunk queries with a highlighted syntax. All I could find was a syntax file for VIM. Since I couldn’t find one for Ultraedit and the VIM one was a bit overblown for my purposes one rainy day I decided to create my own…
I wanted to include distinctive coloring:
- search-related keywords (I group these into a few different buckets to emphasize various high-level search-oriented keywords, aggregate functions, math functions, string functions, etc. using a different color scheme for each) – this is not dictated by anything other than my own subjective ‘feeling’ about some keywords, so feel free to adjust to your needs
- built-in functions
- operators
- numbers
- common field names – as many as possible, this defo needs to be customized more for specific environments
- common values – as above
- etc.
This is work in progress, but it is already making a visual difference:
One can always mod the theme to better represent the Ultraedit color scheme and match one from Splunk, but hey… this is a home work exercise 😉
You can download the file from here.
If you want to add any stuff to it, please let me know.
If you want to convert it to a wordfile for any other editor, feel free as well – you can also let me know so I can link to it from this post so other people can find it.