Searching data using SPL2

SPL2 is a versatile language for querying and manipulating data across Splunk products, offering unified search and data preparation capabilities.

The Search Processing Language (SPL) is a set of commands that you use to curate and search your data. Splunk supports 2 versions of the Search Processing Languages: SPL and SPL2.

This SPL2 Search Manual describes how to use SPL2 to search, analyze, and prepare data in the Splunk platform.

Note:

If you are looking for information about using SPL, see the following pages:

For Splunk Cloud Platform, see the Search Manual in the Splunk Cloud Platform documentation.
For Splunk Enterprise, see the Search Manual in the Splunk Enterprise documentation.

About SPL2

SPL2 is a query and data manipulation language that is designed to work with data across multiple Splunk products. It unifies search and data preparation for Splunk analysts, app developers, and data managers with a powerful, flexible, and easy to use language.

In the Search & Reporting app, you can use SPL2 to access and work with indexed data in a variety of ways, including the following:

  • Write searches using flexible syntax that resembles SQL and SPL to retrieve the specific subset of data that's relevant to your query or investigation.

  • Define custom SPL2 items such as functions, commands, and data types that extend the default set of SPL2 features and allow you to handle your data exactly as needed.

  • Create SPL2 modules to work with multiple searches in the same browser tab. You can chain searches in series to drill down into your data using increasingly narrow filtering criteria, or branch searches in parallel to investigate your data from different perspectives.

  • Export, share, and reuse search results and other custom-defined SPL2 items from one module to another for convenience and ease of collaboration.

For more information about SPL2, such as how it is used in other Splunk products, the ways that it is different from SPL, and explanations of new SPL2 terminology, see the SPL2 Overview manual.

Get started with SPL2 in the Search & Reporting app

Get started with SPL2 and find out how to start searching in the Search & Reporting app.

Start by confirming that you are running a version of the Splunk platform that supports SPL2 in the Search & Reporting app. Then, familiarize yourself with the interfaces for running SPL2 searches as well as the supported SPL2 syntax, and start writing and running searches to investigate your data.

For more information, see the sections that follow.

Confirm that your Splunk platform deployment supports SPL2

Your Splunk platform deployment must meet the following requirements:

ProductRequirements

Splunk Cloud Platform
  • Version: 10.2.2510 or higher

Splunk Enterprise
  • Version: 10.2 or higher
  • Platform: Linux

To verify that your Splunk platform deployment supports SPL2 searches, from Splunk Home, select Search & Reporting in the Apps panel. If your deployment supports SPL2 searches, the following features are available:

  • The Modules tab

  • The language picker above the Search bar, which defaults to SPL

  • The Search, transform, and analyze data using SPL2 area under the Search bar

This screen image shows the Search page, which is the default page of the Search & Reporting app. The SPL2 UI features are highlighted with a red outline.

If these features are not available, contact your Splunk representative for assistance.

Start searching using SPL2

In the Search & Reporting app, you can write and run SPL2 searches in the Search bar or in the SPL2 module editor. Choose the interface that best meets your needs, and refer to the documentation links for guidance on how to navigate to and use each interface.

User interfaceDescriptionFor more information

Search bar

Use the Search bar to create a single ad-hoc search.

The Search bar is suitable for standalone searches that you don't plan to reuse. It does not support the ability to work with multiple searches or custom functions, custom commands, and custom data types.

To familiarize yourself with the layout and features of the Search page where the Search bar is located, see Search page overview for SPL2.

For instructions on how to run searches in the Search bar, see the Standalone searches in the Search bar chapter.

SPL2 module editor

Use the SPL2 module editor to create multiple searches in a single file called a module.

The SPL2 module editor provides complete support for features that are unique to SPL2:

  • Branched searches

  • Custom functions, custom commands, and custom data types

  • Reuse and sharing workflows for SPL2 items

To familiarize yourself with the layout and features of the SPL2 module editor, see SPL2 module editor overview.

For instructions on how to run searches in the SPL2 module editor and manage your modules, see the Multiple searches in the SPL2 module chapter.

For a walkthrough on how to write a basic search with valid SPL2 syntax in either of these interfaces, see the Quick start: Write and run a basic SPL2 search chapter.

For detailed reference information about SPL2 syntax and the supported commands, functions, and data types, see the SPL2 Search Reference manual.