SPL2 module editor overview

Use the SPL2 module editor in the Search & Reporting app to manage multiple SPL2 statements within a single module file, enabling advanced search capabilities and seamless navigation between search results.

In the Search & Reporting app, you can use the SPL2 module editor to work with multiple SPL2 statements in a single file called a module. This multi-statement support allows you to write and run multiple searches and switch between their results while remaining on the same browser tab. It also allows you to create advanced searches that use custom functions and data types or refer to the results of other searches.

The SPL2 module editor includes a variety of features to help you build and read your searches:

  • Point-and-click actions that update your search with the appropriate SPL2 command or function for completing the specified action.

  • Tooltips that provide auto-complete suggestions as you write your search, and displays documentation and examples for any SPL2 command or function you select.

  • Syntax highlighting that helps you scan through long searches and detect syntax errors.

To navigate to the SPL2 module editor, from the Splunk Home page, select Search & Reporting in the Apps panel. Then, select the Modules tab and select New module.

To learn more about the SPL2 module editor features that you can use to write, run, and work with SPL2 searches and modules, see the following sections on this page:

SPL2 module editor UI

Use the following screenshot and the table below it to become familiar with the main parts of the SPL2 module editor.

You can also select the tooltip icons (This image shows a circular icon with a lowercase "i" inside.) located throughout the SPL2 module editor to learn more about each area of the UI.
This image shows red circles with numbers inside that identify the parts of the SPL2 module editor. The table below the screen image describes each of the numbered screen parts.

Number

Element

Description

1

Outline panel

Lists the names of SPL2 statements in the module.

Use this panel to navigate between statements, add new search statements, and access more advanced features such as branching or exporting a search.

2

SPL2 panel

Displays the SPL2 statements in the module.

Enter the statements, commands, and functions that you want to use to work with your data.

3

Search results panel

Shows the results for the search that’s selected in the SPL2 panel.

4

Time range picker

Specify the time period for the searches in the module, such as the last 30 minutes or yesterday. The default is Last 24 hours.

5

Run icon

Run the search that’s selected in the SPL2 panel.

6

Data list

Select the datasets that you want to search, such as indexes or views.

7

Actions panel

Displays any data manipulation actions that are specified for the selected search.

Select the plus icon (This image shows an icon with a plus sign.) to open a list of actions that you can configure using point-and-click workflows.

8

Fields panel

Analyze your search results.

You can choose which fields to display in the results, view metrics about a field, and select the Fields overview icon (This image shows an icon with a square divided into quadrants.) to view summarized information about the results.

Access the in-product SPL2 tutorial

The Search & Reporting app includes a tutorial that you can use to start becoming familiar with the SPL2 module editor.

To access this tutorial, do the following:

  1. From Splunk Home, select Search & Reporting in the Apps panel.

  2. On the Search page, in the Search, transform, and analyze data using SPL2 area of the page, select Get started with guided help.

    The SPL2 module editor opens on a new browser tab.

You can walk through the tutorial shown in the SPL2 panel to get started with searching.

Keyboard shortcuts

In the SPL2 module editor, you can use the following keyboard shortcuts to help you work with your searches and other SPL2 statements.

Action

Linux or Windows

macOS

Run the selected search

Control+Enter

Command+Enter

Add or remove comment characters (//) in the current line

Control+/

Command+/

Open or close SPL2 help

Control+Space

Control+Space

Increase indent

Control+]

Command+]

Decrease indent

Control+[

Command+[

Undo the previous action

Control+Z

Command+Z

Redo the previous action

Control+Y

Command+Y

Find a term

Control+F

Command+F

Find and replace a term

Control+H

Command+Option+F

Collapse the active statement

Control+Shift+[

Command+Opt+[

Expand the active statement

Control+Shift+]

Command+Opt+]

Collapse all statements

Control+K then Control+0 (zero)

Command+K+0 (zero)

Expand all statements

Control+K then Control+J

Command+K+J

Move the contents of the current line down

Alt+Down

Option+Down

Move the contents of the current line up

Alt+Up

Option+Up

Add multi-cursor above

Control+Alt+Up

Command+Option+Up

Add multi-cursor below

Control+Alt+Down

Command+Option+Down

Move multi-cursor from current line to the line above

Control+Alt+Shift+Up

Command+Option+Shift+Up

Move multi-cursor from current line to the line below

Control+Alt+Shift+Down

Command+Option+Shift+Down

See also

Related information

Create an SPL2 module