KQL Inline Comments?

Elastic Stack Kibana
1

Does anyone know any tricks to let you have an inline comment in search dialog of Discover? For instance for a "Firewall Drops" saved search I want to have something like this:

panw.panos.sub_type : ("drop" or "deny") /* and source.ip : "0.0.0.0" */

So that they can then set the source IP easily to narrow the search. We are trying to roll Kibana out to a wider audience in IT.

I added the instruction to the comments for the saved search, but when loading a saved search the user never sees that note?

Any ideas or comments appreciated, thanks!

2

Hi @jscheitel
What's version are you on...

ESQL allows comments in lnline ... Not to mention it's much more powerful than KQL

1 Like
3

We are on 8.12 currently. Upgrade to current planned for August.
Also... adding a picture for context:

Discover_saved_search_comments2
Discover_saved_search_comments21913×694 115 KB

4

@stephenb , thank you - you are a rock star! that is perfect!

Discover_saved_search_esql
Discover_saved_search_esql1873×280 55.8 KB

The only problem I am having is that when it is in ESQL mode I had to rebuild the field selection list, which is fine... but... it will not let me have the @timestamp as the first field. I can have it in any other position but when it moves to the first column it gets removed from the selected fields list. Not sure if that has something to do with the feature being in preview for 8.12.

5

ES|QL is GA in 8.14 with a LOT of bug fixes and enhancements. :slight_smile:
Time to upgrade...

2 Likes