SPL2 release notes

SPL2 release notes.

This page contains information about new features, known issues, and resolved issues for the Search Processing Language, version 2 (SPL2), grouped by the generally available release date.

SPL2 is used on both Splunk Platforms: Splunk Cloud Plaform and Splunk Enterprise. For the release notes, the only difference between these platforms are the versions in which SPL2 is supported.

Splunk Cloud Platform

SPL2 is available on Splunk Cloud Platform version 10.2.0.2511 or higher. Updates are released frequently, and become available across all the supported Splunk Cloud Platform versions at the same time.

Note: SPL2 capabilities are being gradually rolled out to Splunk Cloud Platform and may not be available immediately. If you have an urgent need for these capabilities and do not see them yet in your Splunk Cloud Platform environment, then please contact your Splunk Cloud Platform sales representative.

Splunk Enterprise

SPL2 is available on Splunk Enterprise version 10.2 or higher, for *nix operating systems.

Use these links to navigate to a specific section of the SPL2 release notes:

New features, enhancements, and changes
Known issues
Fixed issues

New features, enhancements, and changes

SPL2 release notes for new features, enhancements, and changes.

Splunk releases frequent updates related to SPL2. The following list is updated with the latest functionality and changes to SPL2.

January 12, 2026

New feature, enhancement, or change Description

Unified search and streaming language

SPL2 serves as the industry's first unified search and streaming language, offering a single syntax for searching data in Splunk indexes, accessing federated data stores, and preparing data in-stream across various Splunk products. This enables a "learn once, use everywhere" model, streamlining investments and skillsets across security and observability landscapes. For more information,

see What is SPL2?.

SPL2 modules and multi-statement editor SPL2 introduces modules, a new knowledge object, that enables users to create and store multiple search statements, functions, declarations, and imports in a single file. The multi-statement SPL2 editor facilitates complex investigations, debugging, and root cause analyses by enabling rich, chained searches, similar to a Jupyter notebook experience.

Role-based access control (RBAC) views You can now define SPL2-based views over indexes, which are virtual datasets that can be permissioned independently. This feature enables precise data sharing, reduces index bloat, and allows for granular role-based access control (RBAC) without requiring data duplication. For more information, see Manage SPL2-based apps in the Splunk Cloud Platform Admin Manual or Manage SPL2-based apps in the Splunk Enterprise Admin Manual.

Custom data types for data quality validation SPL2 includes the ability to define custom data types, which can be used to describe the data schema and enforce data quality. This enables you to identify and conditionally drop poor-quality data, ensuring accuracy and integrity across the Splunk environment. For more information, see Creating and using data schemas with SPL2 data types in the SPL2 Search Manual.

Custom functions With SPL2, you can write and share custom functions with code-style declarations. These reusable functions, for both eval and command functions, enhance efficiency, promote consistency, and simplify complex domain-specific logic across the Splunk ecosystem. For more information, see Custom eval functions and Custom command functions in the SPL2 Search Manual.

Modernized JSON handling SPL2 provides enhanced, JSON-native capabilities, including powerful lambda expressions for transforming complex nested JSON data. This simplifies data handling, parsing, and normalization using functions like map, reduce, and filter, eliminating the need for complex spath and regex operations. For more information, see Lambda expressions in the SPL2 Search Manual.

SQL syntax support To lower the learning curve and broaden accessibility, SPL2 supports SQL syntax in addition to its SPL-based syntax. This allows users with a SQL background to easily interact with Splunk data, making the platform more approachable for a wider range of users. For more information, see from command: Overview in the SPL2 Search Reference.

Compatible with SPL SPL2 is fully compatible with SPL, ensuring that existing users can leverage their current SPL knowledge and libraries of customized queries. SPL commands can be embedded within SPL2, and an in-product converter is available to facilitate the transition from SPL to SPL2. For more information, see Convert a search from SPL to SPL2 in the SPL2 Search Manual.

Application development changes

Renamed the _default module to _resources to avoid confusion with other parts of the system that use default for items that should not be changed.

The _resources module is designed for app developers to store common resources in an app, such as custom functions, custom data types, and views that are exported from the module to share within the app namespace.

In addition, introduced a root level _resources module for app developers to store resources to share across namespaces. For more information, see Create SPL2-based apps in the Splunk Developer Guide.

Changed REST API endpoints

Changes were made to the SPL2 REST API endpoints.

The following table describes changes to the SPL2 endpoints in this release:


Old endpoint	New endpoint
`search/spl2-module-dispatch` Supported the POST method.	`services/orchestrator/v1/spl2/modules/dispatch` Continues to support the POST method.
`services/spl2/modules` Supported the POST method.	`services/orchestrator/v1/spl2/modules` Added the LIST method. Removed the POST method. To create a module, use the `services/orchestrator/v1/spl2/modules/{resourceName}` endpoint with the PUT method and include the `isUpdate` parameter.
`services/spl2/modules/{resourceName}` Supported the GET, POST, and DELETE methods.	`services/orchestrator/v1/spl2/modules/{resourceName}` Supports the GET, PUT, and DELETE methods. The PUT method was added. The POST method was removed. To create a module, use the PUT method and include the `isUpdate` parameter.
`services/spl2/permissions` Supported the POST method.	`services/orchestrator/v1/spl2/modules/permissions` Supports the GET and PUT methods. The PUT method was added. The POST method was removed. The GET method requires the `resourceName` parameter.

New REST API endpoints

The following SPL2-related endpoints were added:

services/orchestrator/v1/datasets, which supports the GET method.
services/orchestrator/v1/datasets/:datasetid, which supports the GET method.
services/orchestrator/v1/spl2/convert , which supports the POST method.

Removed REST API endpoints

The following SPL2 endpoints were removed:

services/spl2/permissions/role/{rolename}
services/spl2/permissions/user/{username}

To set permissions, use the services/orchestrator/v1/spl2/permissions endpoint.

Known issues

SPL2 release notes known issues.

This section lists known issues for SPL2. The information is organized in tables by product or capability.

Splunk Enterprise


Date filed or added	Issue number	Description
2025-09-03	SCP-77542	Search & Reporting app: SPL2 is not available in Splunk Enterprise when you run the instance as the root user. Workaround: Configure your system to run Splunk Enterprise as a non-root user. For more information, see Run Splunk Enterprise as a different or non-root user in the Installation Manual.

Visualizations


Date filed or added	Issue number	Description
2025-04-07	SPL-274314	Dashboard Studio: In dashboard panels that are based on SPL2 searches, the "Link to search" interaction is not supported, and might have unexpected results when it's configured. Workaround: To see the search that the panel is based on, select the magnifying glass icon in the visualization panel to "Open in Search".
2025-01-29	SPL-269913	Search & Reporting app: Map visualizations that are based on SPL2 searches will not render on the Visualizations tab. Workaround: You can save the search as a dashboard panel in Dashboard Studio and then create a map visualization on your dashboard in Dashboard Studio.
2025-02-27	SPL-271848	Search & Reporting app: Search results in a data table visualization can't be sorted. Workaround: You can save the search as a dashboard panel in Dashboard Studio and then sort the data table in Dashboard Studio.
2025-03-03	SPL-272031	Search & Reporting app: When a data point is selected in a visualization, the drilldown to view the underlying search event for that data point is not available. Workaround: None

Federation


Date filed or added	Issue number	Description
Unavailable	Unavailable	Federated Search for Splunk: SPL2 searches do not support standard mode federated providers. Workaround: Use transparent mode instead. When using transparent mode federated providers with SPL2 searches, the index referenced in the search must be an index on your local Splunk platform deployment.

Fixed issues

This section lists fixed issues for SPL2.

January 12, 2026

Because this is the initial release of SPL2, there are no fixed issues. In subsequent releases, any fixed issues will be listed here.