Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Introduction

The Search Processing Language (SPL) is a set of commands that you use to search your data.

There are two versions of SPL: SPL and SPL, version 2 (SPL2). This manual describes SPL2.

If you are looking for information about using SPL:
For Splunk Cloud Platform, see Search Reference in the Splunk Cloud Platform documentation.
For Splunk Enterprise, see Search Reference in the Splunk Enterprise documentation.

What is SPL2?

SPL2 is a product-agnostic, intuitive language that includes the best of both query and scripting languages. SPL2 supports both SPL and SQL syntax patterns. SPL2 is designed to work with the variety of runtimes in the Splunk portfolio. SPL2 is fully backwards compatible with SPL, and can operate in parallel with SPL.

This image shows SPL2 = SPL (+ optional SQL) + programming concepts.

With SPL2, you can create multiple search statements in a single file. You can create user-defined functions and data types for custom processing that are highly composable and reusable. You can share these items with others using import and export operations.

The following table describes the advantages of using SPL2 for different types of users:

SPL2 persona Usage
End-users SPL2 is a search language that supports both SPL and SQL syntax.
Application developers SPL2 is a powerful development and scripting language.
Data administrators SPL2 is a data preparation language.

This image contains a diagram that shows the SPL2 features for end users and application developers as described before the diagram.

There are several reason why SPL2 was created:

  • SPL2 reduces the barrier to learning the Splunk search processing language for new users.
  • With SPL2, users no longer need to have wide and deep expertise in multiple tools.
  • You can use SPL2 uniformly against data in-motion and data at rest.
  • SPL2 turbocharges security and observability use cases with rich language capabilities.

Where SPL2 is used?

Several Splunk products use SPL2:

  • Splunk Edge Processor
  • Splunk Search Experience preview

Splunk Data Stream Processor (DSP) uses a set of custom functions, some of which are similar to SPL2 commands and functions. See DSP functions by category in the Splunk Data Stream Processor Function Reference.

Learning SPL2

SPL2 makes the search language easier to use, removes infrequently used commands, and improves the consistency of the command syntax.

There are two Splunk manuals that contain information about SPL2:

SPL2 Search Reference
The SPL2 Search Reference (this manual) contains reference information about the SPL2 search commands, command syntax, data types, and functions.
SPL2 Search Manual
The SPL2 Search Manual contains information about how to use SPL2 commands effectively. You'll learn how to get started searching, how to use expressions and predicates, even how to add comments to your search strings.

Useful links to SPL2 documentation

The following list contains links to SPL2 getting started and quick reference information:

Last modified on 27 June, 2023
  NEXT
Understanding SPL2 Syntax

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters