Why use SPL2?

SPL2 includes significant features not found in SPL.

SPL2 addresses some limitations of SPL, simplifies learning and using the language, and adds consistency to the language.

SPL2 reduces the barrier to learning the Splunk search processing language for new users.
With SPL2, you no longer need to have wide and deep expertise in multiple tools.
You can use SPL2 uniformly against incoming data and data that's already been indexed.
SPL2 accelerates security and observability use cases with rich language capabilities.

The following image of an iceberg illustrates that SPL2 has some commonly used features that are highly visible and the users of those features. But there are also more advanced features that are hidden gems below the surface.

SPL2 is easier to learn and use

SPL2 is a flexible language. It supports both SPL and SQL syntax in searches and pipelines.

If you already know SPL, you will find SPL2 is easy to use. SPL2 supports the most popular commands and all of the functions in SPL.

If you are familiar with SQL, you will find SPL2 easy to learn. SPL2 supports the clauses you use in SQL SELECT statements, such as FROM, WHERE, GROUP BY, ORDER BY, and JOIN. You can also extend the SQL clauses in SPL2 with SPL-like commands not found in SQL, for maximum flexibility.

SPL2 improves productivity

In the SPL2 module editor, you can create multiple search statements in a single file using one browser, eliminating the need for multiple browser tabs to build chained searches for data filtering and iteration.

The following image shows a module in the SPL2 module editor. The module imports the main index and contains several searches.

The SPL2 module editor shows the main index imported into the module and three searches using SPL, SPL2, and SQL syntax.

You can build searches by selecting actions in the SPL2 module editor graphical user interface (GUI). When you select an action, the SPL2 search syntax associated with that action is added to your search. You don't need to be an expert in SPL2 or SQL to filter, modify, and enrich your data.

You can also create dashboards, reports, and alerts directly from your searches within the SPL2 module editor.

SPL2 adds consistency across multiple products

You no longer need to have wide and deep expertise in multiple tools. Whether you are creating pipelines, performing federated searches, or investigating your data, you will use SPL2. The interfaces for these tasks have consistent features, including similar layouts, point-and-click actions, and built-in help resources.

SPL2 is a powerful development and scripting language

SPL2 enables you to manage and transform your data. For example, you can use SPL2 to do the following:


Task	Description
Curate and mask sensitive data	Create views of indexed data for specific user roles. Views enable users to see most of the indexed data, but hide sensitive data from roles that don't need to access that data. An SPL2 view is a virtual dataset that is based on the result set of an SPL2 search. Views are Role-Based Access Control (RBAC) enforced.
Normalize malformed JSON data	Sometimes JSON data doesn't adhere to logging standards, or the data is stored in a format that is not easily reformatted by Splunk. Use the built-in SPL2 JSON functions with lambda expressions to reformat the data. SPL2 uses consistent dot ( . ) notation expressions for accessing array and object values.
Create your own custom functions and data types	You can create custom command functions or custom eval functions tailored to your specific needs. Custom functions, unlike macros, have capabilities such as data type checking and advanced optimizations. With custom data types, you can specify a set of complex characteristics that define the shape of your data. Use custom data types to provide structure and data validation to datasets or fields.
Share custom resources across products that support SPL2	Custom SPL2 resources such as functions, data types, and views are highly extensible and reusable. You can share resources between different contexts by using import and export statements. These statements create explicit resource dependencies and abstractions to hide complexities from users.

SPL2 is a seamless streaming data preparation language

The Splunk data preparation solutions use SPL2 to filter, mask, extract fields, and route your data using pipelines:

With Edge Processor, you can filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information about these capabilities,
- For Splunk Cloud Platform, see About the Edge Processor solution in the Use Edge Processors for Splunk Cloud Platform manual.
- For Splunk Enterprise, see About the Edge Processor solutionin the Use Edge Processors for Splunk Enterprise manual.
With Ingest Processor, you can configure data flows, control data format, apply transformation rules before indexing and routing the data to it's destination. For more information about these capabilities, see About the Ingest Processor solution in the Use Ingest Processors manual.

SPL2 improves data control

With SPL2, you can control who sees specific data in a dataset by creating SPL2 views for different user roles. For example, you can create a view that hides sensitive, personal data or create a view that streamlines the data for a specific user role by hiding data that is unnecessary or unused for that role. An SPL2 view is a virtual, RBAC-enforced dataset that is based on the result set of an SPL2 search.

With SPL2, you control access to the views by creating a module that contains views which either mask or filter out sensitive and personal data. You then grant users permissions on that specific module without giving users access to the underlying dataset. You grant users permissions by adding the @run_as_owner; annotation to the module and granting execute permissions to that module.

For more information about views and enabling the @run_as_owner; annotation, see :

For both Splunk Cloud Platform and Splunk Enterprise, SPL2 views in the SPL2 Search Manual.
For Splunk Cloud Platform, Limit access to sensitive data by enabling run-as-owner views in the Admin Manual.
For Splunk Enterprise, Limit access to sensitive data by enabling run-as-owner views in the Admin Manual.

SPL2 is fully compatible with SPL

SPL2 is fully compatible and can operate in parallel with SPL. You can use the most popular SPL commands in your SPL2 searches. For example, you can run the following search in SPL or SPL2:

search index=main host=www3 action IN(addtocart, purchase) 
| where like(clientip, "182.%")
| stats sum(bytes) BY host

Additionally, all of the statistical and eval functions in SPL can be used in SPL2.

SPL2 commands

The SPL commands supported in SPL2 are listed in the following table:


addinfo	expand	lookup	rex	timechart
append	fields	makemv	route	timewrap
appendcols	fieldsummary	makeresults	search	tstats
appendpipe	fillnull	mstats	sort	typer
branch	flatten	mvcombine	spath	union
bin	from	mvexpand	spl1	untable
concat	head	nomv	stats	where
convert	into	ocsf	streamstats
dedup	iplocation	rename	table
eval	join	replace	tags
eventstats	loadjob	reverse	thru

Each of these commands is explained, with examples, in the SPL2 Search Reference. See Quick Reference for SPL2 commands.

Commands supported in Edge Processor and Ingest Processor pipelines

A subset of the SPL2 commands are supported in Edge Processor and Ingest Processor pipelines. For specific information about which commands are supported in these products, see the Compatibility Quick Reference for SPL2 commands in the SPL2 Search Reference.