Discover, share, and install apps and add-ons with the Splunk community on Splunkbase. Publish your own or add others to your Splunk platform instance.
Streamline your security operations with a SOAR system that integrates orchestration, playbook automation, and case management to enhance threat response.
Access and share apps and add-ons with the Splunk community on Splunkbase. Publish your own apps, or download and install others on your Splunk platform instance.
Use the "Convert to SPL2" button to convert a search from SPL to SPL2.
When writing a search in the Search bar, you can convert it from SPL to SPL2 by selecting the Convert to SPL2 button. This button is available only when the language picker is set to SPL and the Search bar contains a search.
The following screenshot shows the Search bar when the language picker is set to SPL and the Convert to SPL2 button is available:
Note: For information about the layout and features of the Search page where the Search bar is located, see Search page overview for SPL2.
Conversions are supported for most but not all SPL commands and search formats.
If the conversion succeeds, then the contents in the Search bar are updated into SPL2, and the setting in the language picker changes from SPL to SPL2.
If the conversion fails, then the contents of the Search bar remain unchanged, and the Search page returns the following error message: Failed to convert SPL to SPL2.
From the Splunk Home page, select Search & Reporting in the Apps panel.
On the Search page, confirm that the language picker is set to SPL.
Note: Be aware that you cannot revert your search back to SPL after converting it to SPL2. If you want to preserve a copy of your SPL search, then before selecting the Convert to SPL2 button, copy and paste the search to another location for safekeeping.
The example SPL search shown in the previous step converts into the following SPL2 search:
SPL2 requires field names that contain special characters to be enclosed in single quotation marks ( ' ). In this example, host* contains an asterisk ( * ) and low-categoryId contains a hyphen ( - ), so the conversion tool enclosed those field names in single quotation marks.
Additionally, SPL2 requires the field names in a list of fields to be separated by commas ( , ). In this example, the fields command lists 2 fields, so the conversion tool inserts a comma between those fields.