Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

New features in SPL2

With the Search Processing Language, Version 2 (SPL2) you can perform tasks that weren't possible with SPL:

  • Simplify Splunk usage and adoption for new users by supporting both SPL and SQL syntaxes.
  • Support investigations and improve productivity by extending or branching multiple search statements.
  • Enhanced support for actions with and against arrays and objects.
  • Enable data curation and sensitive data masking by creating views of indexed data for specific roles.
  • Foster extensibility and reusability across the portfolio with custom function declarations.
  • Provide optional structure and validation by assigning out-of-box or custom data types to datasets or fields.
  • Imports and exports create explicit resource dependencies and abstractions to hide complexities from users.
  • Compile to SQL, making it highly portable to unmanaged or 3rd party runtimes for future Data Lake integrations.

Support for SPL and SQL syntaxes

To simplify Splunk software usage and adoption for users, SPL2 supports both SPL and SQL syntax patterns.

Core SPL commands are included natively in SPL2. For SPL commands that are not included directly in SPL2, you either can import SPL commands as functions or run SPL directly in an SPL2 search.

The SPL2 from command includes all of the SQL SELECT command clauses: SELECT, FROM, JOIN, WHERE, GROUP BY, HAVING, ORDER BY, LIMIT and OFFSET. You can start your SPL2 search with either the SELECT or the FROM clause. See from command overview.

New commands

SPL2 introduces several new commands.

branch command

Use the branch command to process one set of events or search results, in parallel, simultaneous searches. Each search branch must end with the into command. See the branch command overview.

expand command

Use the expand command on a field that contains an array of values to produce a separate result row for each object in the array. If there are other fields in the original event, those field values are included in the new rows when the array is expanded. See the expand command overview.

flatten command

Use the flatten command on an object to convert the key-value pairs in the object into separate fields in an event. The flatten command can flatten only the first level of an object. See the flatten command overview.

into command

Use the into command to append or replace the contents of a dataset in the search pipeline. The into command is a terminating command. Use the thru command if you want to pass data into another command in the search pipeline. See the into command overview.

spl1 command

Use the spl1 command to embed all or part of an SPL search into an SPL2 search. This command is useful when SPL2 doesn't support an SPL command. See the spl1 command overview.

thru command

Use the thru command to write data to a writeable dataset, and then pass the same data to the next command in the search pipeline. See the thru command overview.

New built-in functions

Dataset functions

Dataset functions are functions that create events to form a dataset. You can use dataset functions with any generating command, such as the from, join, and union commands.

indexes function
Use the indexes function to map to the indexes that you have permission to access. See Overview of SPL2 dataset functions.
repeat function
Use the repeat function to create events in a temporary dataset. The SPL2 repeat dataset function is similar to the SPL makeresults command. See Overview of SPL2 dataset functions.

Evaluation functions

Use evaluation functions to evaluate an expression, based on your events, and return a result.

object_to_array function
Use the object_to_array function to converts data that is in an object format into an array format. See Conversion functions.

Stats and chart functions

Use statistical and charting functions to generate a calculation, such as an average or percentage, based on the fields in your events.

dataset function
Use the dataset function to aggregate events into arrays of SPL2 field-value objects. See Multivalue and array functions.
pivot function
Use the pivot function to aggregate the values in a field and returns the results as an object. See Multivalue and array functions.

Custom functions and data types

With SPL2, you can create custom functions and custom data types.

Custom eval functions

Create your own custom eval functions to extend SPL2. Custom eval functions are user-defined functions that you declare in an SPL2 module. Custom functions have zero or more parameters and return a single value. See Custom eval functions.

Custom command functions

You create a custom SPL2 command by declaring a custom command function. A custom command function is a function that performs like a command. You can create generating and non-generating command functions. See Custom command functions.

Custom data types

You can define your own data types by using either the built-in data types or other custom data types. Data types define the characteristics of the data. With custom data types, you can specify a set of complex characteristics that define the shape of your data. See Custom data types.

Field and string templates

You can use field and string templates as part of eval expressions. Templates start with the dollar sign ( $ ) and use curly braces { } to enclose the expression. In addition, field templates must be enclosed in single quotation marks, such as '${expression}'.

Field templates

A field template generates a field name by using a template. You can use field templates in expressions in the eval command. Field templates must be enclosed in single quotation marks, for example '${expression}'. See Field templates in the SPL2 Search Manual.

String templates

A string template is a string literal that includes one or more embedded expressions. Use string templates when you want a more readable result for your formatted strings. You can use field names and functions in string templates. See String templates in the SPL2 Search Manual.

Literals

SPL2 includes the ability to specify literal values in many parts of the syntax.

Array literals

An array of values or a multivalue field. Arrays are enclosed in square brackets. You can specify constant values and expressions in array literal expressions. See Array and object literals in expressions in the SPL2 Search Manual.

Dataset literals

A dataset literal is an array of objects that you type into your search criteria, instead of specifying a dataset name. You can use a dataset literal anywhere you can specify a dataset name. See Dataset literals in the SPL2 Search Manual.

Object literals

A list of comma-separated values enclosed in curly brackets. A SPL2 object literal is a convenient way to create JSON objects. To be JSON compatible, internally field names are stored with double quotation marks. See Array and object literals in expressions in the SPL2 Search Manual.

Raw string literals

A string value in which the backslash character ( \ ) is not processed. Raw string literals must be preceded by the at symbol ( @ ) and enclosed in double quotation marks. See Types of expressions in the SPL2 Search Manual.

Search literals

A search literal is a predicate that you can use wherever an <expression> is used. Search literals simplify and streamline your search syntax. Search literals must be enclosed in backtick characters ( ` ). See Search literals in the SPL2 Search Manual.

See also

Related information
Differences between SPL and SPL2
Last modified on 27 June, 2023
PREVIOUS
Differences between SPL and SPL2 		  NEXT
SPL2 compatibility profiles

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters