Adding comments
Comments can be used for a variety of purposes, such as describing query logic, functions, and arguments, as well as debugging and temporarily excluding sections of code. They help improve understanding of queries and make them easier to support in the future.
Comment Syntax
In the SAFL query language, comments are enclosed between the characters /* and */.
Example:
source winlog_auth
/*Comments*/
| search event.code="4678"
Special symbols
Special Unicode characters may be used in comments; escape characters, single and double backquotes are also ignored.
source sm_cs_auth_index
/*Comment ƱĠŔ*/
Using Comments to Troubleshoot
Comments in SAFL play an important role in debugging queries and finding errors.
- Problem areas. Comments are used to indicate areas of code that may be potential sources of errors. If a problem occurs, you can temporarily exclude such areas from query execution by commenting them out.
- Excluding code for testing. If you want to test the query working without a certain part of the code, you can comment out that part. This allows you to test individual sections of the request and identify problems.
- Description of changes. When making changes to requests, especially if they relate to solving specific problems, it is recommended to add comments describing the essence of the changes made. This will help you and your team track and understand changes more easily.
- Bug tracking. Adding comments describing errors or suspected causes will help you and your colleagues quickly find and fix problems when working with requests.
An example of excluding part of the code to test a request:
source sm_cs_auth_index
| table destination.address, destination.ip, source.ip, event.action
/* | eval event.log.out=if(like(event.action, "%logged%"), "Вход/Выход", "Kerberos") */
| rename destination.address as "Адрес целевого сервера", destination.ip as "IP целевого сервера", source.ip as "IP источника", event.action as "Событие", event.log.out as "Результат"