Splunk Cloud Platform

Search Experience preview

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Differences between SPL and SPL2

The Search Processing Language, version 2 (SPL2) includes the most popular commands from SPL, such as stats, eval. timechart, and rex.

Several of the SPL commands have been enhanced or converted to functions in SPL2, and a few new commands have been added with SPL2.

The most common differences between SPL and SPL2 are described in this topic. The SPL2 Search Reference describes the differences in more detail.

Store multiple searches in a single file

Unlike the current Search and Reporting app, an SPL2 module can contain multiple searches and other SPL2 statements in one file. This means that you can quickly switch back and forth between these searches and search results.

For example, you can create a main search and branch or extend that search into other searches Or you can create other related searches in the same module.

In addition, you can create custom functions (like macros) and custom data types to use in your searches and store all of these items with your searches in a single module.

For more information about modules and statements, see New terms and concepts.

Searches must have a name

In the Splunk Cloud Platform Search Experience preview, every SPL2 search statement must begin with a name. The name must start with the dollar "$" symbol. For example: $mysearch1 or $threats_by_hour.

After the name, you must specify an equal symbol ( = ), a generating command, and a dataset name. For example: 

$mysearch1 = from sample_data

Each search name in a module must be unique.

Extending searches

The search name is like a variable, which you can refer to in subsequent searches. For example, the name of the following search is $prod_lookup: 

$prod_lookup = from sample_data
where sourcetype LIKE "access_%" AND status=200 
| lookup sample_products_lookup productID AS productId OUTPUTNEW product_name
| fields productId, product_name

You can use the results of the $prod_lookup search as the dataset for another search by specifying the search name where you would specify the dataset: 

$prod_stats = from $prod_lookup
| stats count() by product_name

For more information, see Extend and branch search statements in the SPL2 Search Manual.

Commands

SPL2 includes the most popular commands from SPL, such as stats, eval. timechart, and rex.

  • Several of the SPL commands are enhanced in SPL2, such as stats, from, join.
  • Several SPL commands have been converted to functions in SPL2, such as cluster and spath.
  • SPL2 introduces a few new commands, including branch, into, and thru.

All of the commands and functions supported in SPL2 are described in the SPL2 Search Reference.

Search command

The search command in SPL2 works like it does in SPL, but is no longer implied at the beginning of a search.

You must specify the search command explicitly at the beginning of a search:

Version Example
SPL index=main status=200
SPL2 search index=main status=200

From command

The from command in SPL2 is substantially different than the from command in SPL.

With SPL2 you don't have to qualify the dataset:

Version Example
SPL from savedsearch:my_search
SPL2 from mysearch


The SPL2 from command is more like the SQL SELECT command. It has these clauses:

  • FROM
  • JOIN
  • WHERE
  • GROUP BY
  • SELECT
  • ORDER BY
  • LIMIT
  • OFFSET

With SPL2 you can filter, sort, and project with the from command, without piping to other commands:

Version Example
SPL 
from savedsearch:my_search 
| where host="www2" 
| sort action desc 
| stats count by action
SPL2 
from my_search 
where host="www2" 
group by action 
select action, count(action) 
order by action desc

You can start the from command with either the FROM clause or the SELECT clause. The clauses can be specified in uppercase or lowercase.

The following SPL2 searches produce the same results. One starts with the FROM clause and the other starts with the SELECT clause: 

$with_from = FROM sample_data_index 
WHERE host="www2" 
GROUP BY action 
SELECT action, count(action) as count
ORDER BY count DESC

$with_select = SELECT action, count(action) as count
FROM sample_data_index 
WHERE host="www2" 
GROUP BY action
ORDER BY count DESC

For more information about the SPL2 from command, see from command overview in the SPL2 Search Reference.

See also

Related information
Search experience overview
Last modified on 13 April, 2023
PREVIOUS
What is SPL2? 		  NEXT
Sample data

This documentation applies to the following versions of Splunk Cloud Platform: search2preview

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters