What is new and different in SPL2 ?
SPL2 is a powerful, flexible, and easy to use language that you use to perform batch analytic searches and data preparation for GDI.
Compared to SPL, SPL2 is a more powerful and flexible language that's easier to use. On top of the data querying capabilities supported by SPL, with SPL2 you can perform batch analytics with searches and data preparation for data management. SPL2 provides a broader range of features for Splunk data managers, analysts, app developers, and admins.
SPL2 is optimized for simplicity and ease of use, and is able to support more features and functionality while involving fewer commands.
Key differences
-
SPL2 is supported in multiple Splunk apps and products. SPL is supported in only one. As a result, SPL2 makes working across Splunk apps and products easier and enhances productivity.
If you are familiar with SQL, you can use SQL syntax to create SPL2 searches. Rather than learning SPL2 syntax in detail, using the syntax you're familiar with will reduce the time it takes to gain insights into your data.
-
SPL2 includes a unified data preparation experience. You can seamlessly perform the transformation of data in-motion as it is being collected before the data is indexed and stored. With pipelines, you can filter, mask, enrich, and route data in a consolidate process that would otherwise require more complex configurations on the platform or heavy forwarders.
With SPL2 you can process unstructured data and define a structure or schema for that data. Defining custom data types will identify the shape of your data.
You have more control over the data with SPL2:
You can normalize JSON data that has an unusual format so that the data can be processed by Splunk platforms.
You can define custom functions to use on your data.
You can create views of data either for different user roles or to mask sensitive data.
For information about the language, command, and function differences see Specific differences between SPL and SPL2.
New terminology with SPL2
While working with SPL2 you will encounter a few new terms and concepts, such as modules, statements, and datasets.
While working with SPL2 you might encounter a few new terms and concepts. These terms are described in the following table:
| Term | Description |
|---|---|
| Module | A module is a file that contains one or more related SPL2 statements. Unlike the Search bar in the Search & Reporting app, a module can contain multiple searches and other SPL2 statements in one place. This means that you can quickly switch back and forth between the searches and search results while continuing to work in the same module. In addition, you can create custom functions and custom data types to use in your searches. You can choose to store all of these resources with your searches in a single module, or place the resources in a separate module. |
| SPL2 statements | SPL2 statements are searches and other types of data-related code. There are several different SPL2 statements:
|
| Dataset | A dataset is a collection of data. A dataset can contain data that you want to search, or the results from a search. There are different kinds of datasets, including indexes, lookups, and views. |
New features in SPL2
The new features in SPL2 provide powerful, dynamic capabilities that were either not available or were particularly difficult to accomplish with SPL.
The new features in SPL2 provide powerful, dynamic capabilities that were either not available or were particularly difficult to accomplish with SPL.
Create multiple searches in a single file
Gone are the days of using separate browser tabs for each SPL search. Investigating your data is made significantly easier with the SPL2 module editor UI. You can create and save multiple searches in a single file, called a module.
You can create a series of chained searches that branch off of a base search, or you can create multiple branched searches, in parallel.
For more information, see the following topics in the SPL2 Search Manual:
Create custom, reusable resources
In the SPL2 module editor, you can create custom functions and custom data types that can be shared with other users and apps. You can share these custom resources across Splunk products, in your data-processing pipelines and searches.
Data type checking and data validation is made easier in SPL2 by assigning built-in or custom data types to entire datasets or specific fields. You can build custom evaluation and command functions, which are a evolution of SPL macros, that you can share across your Splunk portfolio.
For more information, see the following topics in the SPL2 Search Manual:
Create SPL2 views over indexes
An SPL2 view is a dataset that is based on the result set of an SPL2 search. An SPL2 view is a virtual view over a physical index.
SPL2 views are powerful, reusable, RBAC-enforced pieces of SPL2. For example, you can:
- Create a view from the results of a preliminary search. You can then use the view as the base search for multiple cascading, chained searches.
- Create a view that filters or masks sensitive data in an index. You can then share the view, and not the underlying index, with users who don't need to have access to the sensitive data.
You use a view in a search by specifying the view name where you normally specify an index name. Views are a kind of dataset.
For more information, see SPL2 views in the SPL2 Search Manual.
Normalize JSON data
Working with JSON data can be challenging. Splunk platforms can’t easily reformat JSON data that has an unusual format. But with SPL2 JSON functions and lambda expressions, you can normalize your JSON data so that you can use the data processing power inherent in Splunk.
For more information, see the Normalize JSON example in the Examples using lambda expressions in the SPL2 Search Manual.
Use SQL syntax in your searches
SELECT count(), host, _time
FROM main
WHERE sourcetype="webaccess" AND `ERROR`
GROUP BY host, span(_time, 5m)
HAVING count > 10
ORDER BY count desc
LIMIT 50
OFFSET 20For more information, see from command: Overview in the SPL2 Search Reference.