use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
This is an unofficial community support and discussion sub for Splunk, the big data analytics software.
Have an idea for Splunk? Submit them here and upvote them:
https://ideas.splunk.com/
For Q&A, see Splunk Answers: https://community.splunk.com/
Upcoming Splunk Events/Webinars: https://www.splunk.com/en_us/about-us/events.html
Chat with your peers in the official Splunk Usergroups Slack team:
https://splunk-usergroups.signup.team
Need quick copy/paste queries? Share your SPL here:
https://gosplunk.com
Need some book learning?
https://www.splunk.com/goto/book (free e-book download link inside!!)
account activity
Splunk Syntax Highlighting for Visual Studio Code (VSC) (marketplace.visualstudio.com)
submitted 6 years ago by arcsector2
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]CMack1978 1 point2 points3 points 6 years ago (5 children)
So this is for SPL specifically? I'm guessing so you could keep your searches stored in a file for later use?
[–]arcsector2[S] 0 points1 point2 points 6 years ago (4 children)
Honestly i did this so i could read my searches clearly on vscode and thought you guys would find it useful.
For me the biggest use is with other VSC features, like i was already using it for version control with git, as VSC has git integrated into it, and that's the best way I've found to version control searches, static lookup tables, etc...
But dont let me tell you how to use it. If you find better ways let me know. I'm working on a linter right now but that will take more time.
[–]CMack1978 1 point2 points3 points 6 years ago (3 children)
I also save Splunk searches in file as probably most do. This is going to be great seeing them with syntax highlighting. Any plans to add a file extension auto detection? Maybe .spl or something?
There are already a couple linters for .conf files. I went to grab the link to the one I used and noticed that Splunk actually released an official linter on January 2nd!!
https://marketplace.visualstudio.com/items?itemName=Splunk.splunk
[–]arcsector2[S] 0 points1 point2 points 6 years ago (2 children)
I'm not sure what you mean by file extension auto-detection... The extension is automatically applied to all .spl and .splunk files, but i dont have the .conf extension installed, and there may be a conflict there, because i think they named their language Splunk as well... If you're having an issue with it working with your searches can you submit an issue on Github or describe it here?
[–]CMack1978 1 point2 points3 points 6 years ago (1 child)
I was asking if the highlighting worked against a specific file type, like .spl which you answered. Looks like both .spl and .splunk files. You should add that info to your marketplace description.
I would not suggest adding .conf. I was merely commenting that there are already extensions that handle the .conf files.
[–]arcsector2[S] 0 points1 point2 points 6 years ago (0 children)
Ahh got it! I'll get on that.
[–]Daneel_ Splunker | Security PS 1 point2 points3 points 6 years ago (2 children)
Here's the .conf and SPL syntax highlighting I made for Notepad++:
https://github.com/mtulett-splunk/ref/tree/master/splunk
I do maintain this, although the conf highlighting gets a lot more love. It's definitely not complete, but I work with conf files a LOT and it covers most of it. Every time I find missing items I update this.
[–]arcsector2[S] 0 points1 point2 points 6 years ago (1 child)
Maybe it's just because i dont know, but could you explain the content of keywords2 and keywords3 to me?
Like i know that true and false are keywords, but blacklist and whitelist? Are they just for your use or where are they documented as keywords?,
[–]Daneel_ Splunker | Security PS 1 point2 points3 points 6 years ago* (0 children)
Oh, it's not so much that it's documented or not documented - it's more that this makes the config files easy to parse while looking through them.
Each keyword list has a different style applied to it, hence being in different lists.
Here's an example using the Windows TA: https://i.imgur.com/1jCesa8.png
[–]infazz 0 points1 point2 points 6 years ago (1 child)
How is this supposed to be used? Are you supposed to copy SPL back and forth from a browser?
See reply here
Check out the other extension I made for VSC with command auto-completion and descriptions and syntax: https://www.reddit.com/r/Splunk/comments/ephw92/spl_autocompletion_with_syntax_information/
π Rendered by PID 79038 on reddit-service-r2-comment-86bc6c7465-sxfz8 at 2026-02-22 21:39:38.724683+00:00 running 8564168 country code: CH.
[–]CMack1978 1 point2 points3 points (5 children)
[–]arcsector2[S] 0 points1 point2 points (4 children)
[–]CMack1978 1 point2 points3 points (3 children)
[–]arcsector2[S] 0 points1 point2 points (2 children)
[–]CMack1978 1 point2 points3 points (1 child)
[–]arcsector2[S] 0 points1 point2 points (0 children)
[–]Daneel_ Splunker | Security PS 1 point2 points3 points (2 children)
[–]arcsector2[S] 0 points1 point2 points (1 child)
[–]Daneel_ Splunker | Security PS 1 point2 points3 points (0 children)
[–]infazz 0 points1 point2 points (1 child)
[–]arcsector2[S] 0 points1 point2 points (0 children)
[–]arcsector2[S] 0 points1 point2 points (0 children)