Use Quick Fix actions to convert a search from SPL to SPL2.

When writing a search in the SPL2 module editor, you can convert a search from SPL to SPL2 by applying Quick Fix actions.

Quick Fix actions are supported for many but not all SPL conversions. To check if the SPL2 module editor supports conversion for a given snippet of SPL syntax, enclose that snippet in backtick ( ` ) characters and place your caret inside the snippet. If the SPL2 module editor supports the conversion, a Show Code Actions icon () appears in the SPL2 panel. You can then select the icon to view the available Quick Fix action and apply it to your search.

The following screenshot shows what the SPL2 panel looks like when you select the Show Code Actions icon () to access the Convert SPL to SPL2 Quick Fix action:

Note: For information about the layout and features of the SPL2 module editor, see SPL2 module editor overview.

1. From Splunk Home, select Search & Reporting in the Apps panel.
2. On the Search page, in the Search, transform, and analyze data using SPL2 area of the page, select Search in SPL2 module.

   The SPL2 module editor opens on a new browser tab and displays an empty module.

3. In the Select data to search panel, select the index that you want to search and then select Apply.

   The SPL2 panel populates with an import statement and a search statement. The import statement makes your index available to searches in this module, and the search statement is what you use to actually search the data in your index.

   For example, if you select an index named main, then the following statements appear in the SPL2 panel:

   import main from ~indexes
   
   $search = search index=main

4. In the SPL2 panel, enter the SPL syntax that you want to convert into SPL2.

   $search = search index=main | fields host* categoryId | eval low-categoryId=lower(categoryId)

   If you try to run this search, the SPL2 module editor returns the following error message:

   Invalid Request
   
   Expression 'host*categoryId' is not a valid field expression.

5. Identify the SPL syntax that you want to convert into SPL2 by enclosing it in backtick ( ` ) characters.

   $search = search index=main | `fields host* categoryId | eval low-categoryId=lower(categoryId)`

   The SPL2 module editor detects a valid conversion for this SPL snippet, and displays a Show Code Actions icon () to indicate that a Quick Fix action is available.

6. If the Show Code Actions icon () is available, select it and then select the available Quick Fix action.
   Note: Be aware that you cannot revert your search back to SPL after converting it to SPL2. If you want to preserve a copy of your SPL search, then before applying the Quick Fix action, copy and paste the search to a new line in the module and rename the search.

   Continuing the example from the previous step, if you select the Show Code Actions icon () and then select Convert SPL to SPL2, the SPL snippet is converted into the following SPL2:

   $search = search index=main | fields 'host*', categoryId | eval 'low-categoryId'=lower(categoryId)

   SPL2 requires field names that contain special characters to be enclosed in single quotation marks ( ' ). In this example, host* contains an asterisk ( * ) and low-categoryId contains a hyphen ( - ), so the conversion tool enclosed those field names in single quotation marks.

   Additionally, SPL2 requires the field names in a list of fields to be separated by commas ( , ). In this example, the fields command lists 2 fields, so the conversion tool inserts a comma between those fields.