Where can I use SPL2?

There are multiple interfaces where you can use SPL2.

You can use SPL2 in the following interfaces:

Search & Reporting app
Pipeline editor
Splunk Extension for VS Code
REST API interfaces

To see a summary description, a list of primary users, and how to access these interfaces, see the SPL2 UI Quick Reference.

Search & Reporting app

From the Search & Reporting app in either Splunk Cloud Platform or Splunk Enterprise, you can create SPL2-based searches. You can run ad hoc, standalone SPL2 searches using the Search bar or use the SPL2 module editor to write multiple searches in a single file.

Note: On Splunk Enterprise, SPL2 is supported only on *nix (Unix and Linux) operating systems in the Search & Reporting app. On Splunk Cloud Platform, SPL2 is supported on all of the operating systems that Splunk Cloud Platform supports.

The following image shows a new search in the Search & Reporting app. SPL2 is selected from the language picker that is above the search bar.

This image shows a new search in the Search and Reporting app. Above the Search bar, the language picker shows SPL2.

You can convert SPL searches into SPL2 searches or write SPL2 searches directly in the Search bar. For more information about using the Search bar to create standalone SPL2 searches, see Search page overview for SPL2 in the SPL2 Search Manual.

To access the SPL2 module editor, in the Search & Reporting app select the Modules tab and then select New module. The SPL2 module editor opens, where you can write multiple searches in a single file. The SPL2 module editor is a separate user interface that includes point and click actions that will write basic SPL2 searches for you.

Additionally, the SPL2 module editor is designed so that you can perform detailed investigations, write chained searches, and create common knowledge objects such as reports, alerts, and dashboards.

The following image shows the key parts of the SPL2 module editor UI:

This image shows multiple searches in the SPL2 module editor. The Outline list of searches is on the left side of the screen. The SPL2 panel, where you write your searches, is in the upper middle of the screen. The timeline and search results panels are below the SPL2 panel. The actions and fields panels are on the right side of the screen.

For more information, see SPL2 module editor overview in the SPL2 Search Manual.

Pipeline editor

With both the Edge Processor solution and Ingest Processor solution, you use the pipeline editor to create pipelines using SPL2. The pipelines specify what data to process, how to process it, and what destination to send the processed data to.

Use Edge Processor to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information:

Splunk Cloud Platform

See About the Edge Processor solution in the Use Edge Processors for Splunk Cloud Platform manual.

Splunk Enterprise

See About the Edge Processor solutionin the Use Edge Processors for Splunk Enterprise manual.
Use Ingest Processor to process data at the time of data ingestion, manage configurations, and monitor data ingest traffic in Splunk Cloud Platform. For more information, see About the Ingest Processor solution in the Use Ingest Processors manual.

The pipeline editor is similar to the SPL2 module editor.

Note: When writing Edge Processor and Ingest Processor pipelines, you can include only the commands and functions that are supported with these solutions. The SPL2 compatibility profiles identify what is supported. See SPL2 compatibility profiles in the SPL2 Search Reference.

Splunk Extension for VS Code

The Splunk Extension for Visual Studio Code is a tool designed to enhance the development experience for Splunk Enterprise and Splunk SOAR users. This extension assists in creating, testing, and debugging Splunk Enterprise apps, add-ons, custom commands, and REST handlers.

The VS Code extension includes support for SPL2, which enables you to create SPL2-based applications and modules.

For more information, see Create SPL2-based apps in the Splunk Developer Guide.

REST API interfaces

Admins and application developers can use REST endpoints to create, update, and delete modules, to run searches, and to add or update module permissions.

For more information, see Endpoints for SPL2-based applications in the REST API Reference.

SPL2 UI Quick Reference

The following table describes each UI that supports SPL2. This quick reference table explains what the UI is used for, who usually uses that UI, and how to access the UI.


User interface	Usage	Primary users	How to access
Search bar in the Search & Reporting app	To create an ad hoc SPL2-based search. The Search bar supports only 1 search.	Any role for a quick ad-hoc search, but primarily: End users Data managers Analysts	In the Search & Reporting app, select the language picker above the Search bar from SPL to SPL2.
SPL2 module editor in the Search & Reporting app	To create multiple reusable search components, such as searches and custom resources, in a single file called a module. Custom resources can be shared with other users and apps.	Admins Power users Data managers Knowledge managers Analysts App developers	In the Search & Reporting app, Select the Modules tab and then select New module.
Pipeline editor in Edge Processor and Ingest Processor	To create pipelines that filter, mask, and transform your data before routing the processed data to Splunk indexes or to external storage.	Data managers	In the Edge Processor or Ingest Processor service, select the Pipelines page and then select New pipeline.
Code editor in Visual Studio (VS) Code, with the Splunk Extension installed	To create and modify SPL2-based applications. You can organize the reusable components in your app across multiple modules.	App developers Admins	In VS Code, install and configure the Splunk extension for VS Code to create SPL2-based apps.
REST API interface, such as Postman or a Terminal window.	Use API endpoints to create, update, and delete modules, and to set module permissions.	App developers Admins	Open the API interface and run the SPL2 REST API endpoints.