KQL Inline Comments?

jscheitel · July 11, 2024, 6:51pm

Does anyone know any tricks to let you have an inline comment in search dialog of Discover? For instance for a "Firewall Drops" saved search I want to have something like this:

panw.panos.sub_type : ("drop" or "deny") /* and source.ip : "0.0.0.0" */

So that they can then set the source IP easily to narrow the search. We are trying to roll Kibana out to a wider audience in IT.

I added the instruction to the comments for the saved search, but when loading a saved search the user never sees that note?

Any ideas or comments appreciated, thanks!

stephenb · July 12, 2024, 5:44am

Hi @jscheitel
What's version are you on...

ESQL allows comments in lnline ... Not to mention it's much more powerful than KQL

jscheitel · July 12, 2024, 12:29pm

We are on 8.12 currently. Upgrade to current planned for August.
Also... adding a picture for context:

jscheitel · July 12, 2024, 12:50pm

@stephenb , thank you - you are a rock star! that is perfect!

The only problem I am having is that when it is in ESQL mode I had to rebuild the field selection list, which is fine... but... it will not let me have the @timestamp as the first field. I can have it in any other position but when it moves to the first column it gets removed from the selected fields list. Not sure if that has something to do with the feature being in preview for 8.12.

dadoonet · July 12, 2024, 2:17pm

ES|QL is GA in 8.14 with a LOT of bug fixes and enhancements.
Time to upgrade...