Create search-based visualizations with SPL2

Create search-based visualizations using the Splunk Search Processing Language version 2 (SPL2), a more concise version of SPL that supports both SPL and SQL syntax. This document refers to the first, older version of SPL as "SPL". You can use the following SPL2 data source types in Dashboard Studio:


Data source type	Description
`ds.spl2`	Create single statement searches from within a dashboard to use only in that dashboard.
`ds.spl2.view`	Reference existing views from SPL2 modules. A view is a named SPL2 search that has been exported from a module. A module is a file that contains one or more related SPL2 statements and can be useful in grouping together related searches, functions, and datasets. See Modules and SPL2 statements. Referencing a search using `ds.spl2.view` is similar to referencing saved searches in SPL using `ds.savedSearch`.

ds.spl2

The following shows an example of an SPL2 search. The example search queries for the most purchased categories of games for a fictitious online game store:

search sourcetype=access_* status=200 action=purchase | spl1 "| top categoryId"

The following shows the source code for a data source that uses this search:

{
    "type": "ds.spl2",
    "options": {
        "query": "search sourcetype=access_* status=200 action=purchase | spl1 \"| top categoryId\""
    },
    "name": "most_purchased_game_categories"
}

The following shows a pie chart that uses this data source as its primary data source:

A colorful pie chart showing the most purchased categories of games.

ds.spl2.view

Use ds.spl2.view to reference existing views from SPL2 modules. The following shows an example of an SPL2 module. The example module contains an import statement, several search and export statements, and a function. $cat_id and $purchases are parallel branch searches of $hostwww1, the base search:

import main from ../../../../indexes

$hostwww1 = from main where status=200 AND host="www1"

$cat_id = from $hostwww1 where categoryId IN("SIMULATION","STRATEGY")

$bytes = from main | stats sum(bytes) AS 'Sum of bytes' BY host

$purchases = from $hostwww1 where action="purchase" 

function isError($code : number) : boolean {
  return $code >= 400 
}

export main
export $cat_id
export $purchases
export isError

This module exports 2 search statements, cat_id and purchases, as views, which you can reference in a dashboard as a data source. The following shows the source code for a data source that uses the purchases view:

{
    "type": "ds.spl2.view",
    "options": {
        "view": "purchases",
        "namespace": "~.apps.search.mynewmodule"
    },
    "name": "purchases"
}

The following shows an events viewer visualization that uses this data source as its primary data source:

An events viewer visualization showing events where status=200, host1="www1", and action="purchase"

Limitations

SPL2 data sources do not support base and chain searches. Since chain searches only work with SPL and not SPL2, you cannot extend base searches with SPL2. For similar functionality when using SPL2, create and branch searches in a module and export the child or branch search as a view to use in a dashboard.
For SPL2 view datasources, namespaces are only supported in shortcut format and not absolute.