Adding comments
Comments can be used for a variety of purposes, such as describing query logic, functions, and arguments, as well as debugging and temporarily excluding sections of code. They help improve understanding of queries and make them easier to support in the future.
Comment Syntax
In the SML query language, comments are enclosed between the characters /* and */.
source winlog_auth
/*Comments*/
| search event.code="4678"
Special symbols
In Smart Monitor Language comments, special Unicode characters can be used, and escape characters, as well as single and double backticks, are also ignored.
source sm_cs_auth_index
/*Comment ƱĠŔ*/
Using Comments to Troubleshoot
Comments in SML play an important role in debugging queries and finding errors.
- Excluding code for testing. If you want to test the query working without a certain part of the code, you can comment out that part. This allows you to test individual sections of the request and identify problems
- Description of changes. When making changes to requests, especially if they relate to solving specific problems, it is recommended to add comments describing the essence of the changes made. This will help you and your team track and understand changes more easily
- Bug tracking. Adding comments describing errors or suspected causes will help you and your colleagues quickly find and fix problems when working with requests
An example of excluding part of the code to test a request
source sm_cs_auth_index
| table destination.address, destination.ip, source.ip, event.action
/* | eval event.log.out=if(like(event.action, "%logged%"), "Entrance/Exit", "Kerberos") */
| rename destination.address as "Target server address", destination.ip as "Target server IP", source.ip as "Source IP", event.action as "Event", event.log.out as "Result"