New features in SPL2
With the Search Processing Language, Version 2 (SPL2) you can perform tasks that weren't possible with SPL:
- Simplify Splunk usage and adoption for new users by supporting both SPL and SQL syntaxes.
- Support investigations and improve productivity by extending or branching multiple search statements.
- Enhanced support for actions with and against arrays and objects.
- Enable data curation and sensitive data masking by creating views of indexed data for specific roles.
- Foster extensibility and reusability across the portfolio with custom function declarations.
- Provide optional structure and validation by assigning out-of-box or custom data types to datasets or fields.
- Imports and exports create explicit resource dependencies and abstractions to hide complexities from users.
- Compile to SQL, making it highly portable to unmanaged or 3rd party runtimes for future Data Lake integrations.
Support for SPL and SQL syntaxes
To simplify Splunk software usage and adoption for users, SPL2 supports both SPL and SQL syntax patterns.
Core SPL commands are included natively in SPL2. For SPL commands that are not included directly in SPL2, you either can import SPL commands as functions or run SPL directly in an SPL2 search.
The SPL2 from
command includes all of the SQL SELECT command clauses: SELECT, FROM, JOIN, WHERE, GROUP BY, HAVING, ORDER BY, LIMIT and OFFSET. You can start your SPL2 search with either the SELECT or the FROM clause. See from command overview.
New commands
SPL2 introduces several new commands.
branch command
Use the branch command
to process one set of events or search results, in parallel, simultaneous searches. Each search branch must end with the into
command.
See the branch command overview.
expand command
Use the expand command
on a field that contains an array of values to produce a separate result row for each object in the array. If there are other fields in the original event, those field values are included in the new rows when the array is expanded. See the expand command overview.
flatten command
Use the flatten command
on an object to convert the key-value pairs in the object into separate fields in an event. The flatten
command can flatten only the first level of an object. See the flatten command overview.
into command
Use the into command
to append or replace the contents of a dataset in the search pipeline. The into
command is a terminating command. Use the thru
command if you want to pass data into another command in the search pipeline. See the into command overview.
spl1 command
Use the spl1 command
to embed all or part of an SPL search into an SPL2 search. This command is useful when SPL2 doesn't support an SPL command. See the spl1 command overview.
thru command
Use the thru command
to write data to a writeable dataset, and then pass the same data to the next command in the search pipeline. See the thru command overview.
New built-in functions
Dataset functions
Dataset functions are functions that create events to form a dataset. You can use dataset functions with any generating command, such as the from
, join
, and union
commands.
- repeat function
- Use the
repeat
function to create events in a temporary dataset. The SPL2repeat
dataset function is similar to the SPLmakeresults
command. See Overview of SPL2 dataset functions.
Evaluation functions
Use evaluation functions to evaluate an expression, based on your events, and return a result.
- object_to_array function
- Use the
object_to_array
function to converts data that is in an object format into an array format. See Conversion functions.
Stats and chart functions
Use statistical and charting functions to generate a calculation, such as an average or percentage, based on the fields in your events.
- dataset function
- Use the
dataset
function to aggregate events into arrays of SPL2 field-value objects. See Multivalue and array functions.
- pivot function
- Use the
pivot
function to aggregate the values in a field and returns the results as an object. See Multivalue and array functions.
Custom functions and data types
With SPL2, you can create custom functions and custom data types.
Custom eval functions
Create your own custom eval functions to extend SPL2. Custom eval functions are user-defined functions that you declare in an SPL2 module. Custom functions have zero or more parameters and return a single value. See Custom eval functions.
Custom command functions
You create a custom SPL2 command by declaring a custom command function. A custom command function is a function that performs like a command. You can create generating and non-generating command functions. See Custom command functions.
Custom data types
You can define your own data types by using either the built-in data types or other custom data types. Data types define the characteristics of the data. With custom data types, you can specify a set of complex characteristics that define the shape of your data. See Custom data types.
New types of expressions
The following sections describes the new types of expression you can use with SPL2:
Lambda expressions
A lambda expression is like a function. Some JSON eval functions expect lambda expressions, such as filter
, map
, and reduce
.
You use a lambda expression for specific JSON function parameters. See Lambda expressions.
Field and string templates
You can use field and string templates as part of eval expressions. Templates start with the dollar sign ( $ ) and use curly braces { } to enclose the expression. In addition, field templates must be enclosed in single quotation marks, such as '${expression}'.
Field templates
A field template generates a field name by using a template. You can use field templates in expressions in the eval
command. Field templates must be enclosed in single quotation marks, for example '${expression}'.
See Field templates in the SPL2 Search Manual.
String templates
A string template is a string literal that includes one or more embedded expressions. Use string templates when you want a more readable result for your formatted strings. You can use field names and functions in string templates. See String templates in the SPL2 Search Manual.
Literals
SPL2 includes the ability to specify literal values in many parts of the syntax.
Array literals
An array of values or a multivalue field. Arrays are enclosed in square brackets. You can specify constant values and expressions in array literal expressions. See Array and object literals in expressions in the SPL2 Search Manual.
Dataset literals
A dataset literal is an array of objects that you type into your search criteria, instead of specifying a dataset name. You can use a dataset literal anywhere you can specify a dataset name. See Dataset literals in the SPL2 Search Manual.
Object literals
A list of comma-separated values enclosed in curly brackets. A SPL2 object literal is a convenient way to create JSON objects. To be JSON compatible, internally field names are stored with double quotation marks. See Array and object literals in expressions in the SPL2 Search Manual.
Raw string literals
A string value in which the backslash character ( \ ) is not processed. Raw string literals must be preceded by the at symbol ( @ ) and enclosed in double quotation marks. See Types of expressions in the SPL2 Search Manual.
Search literals
A search literal is a predicate that you can use wherever an <expression> is used. Search literals simplify and streamline your search syntax. Search literals must be enclosed in backtick characters ( ` ). See Search literals in the SPL2 Search Manual.
See also
- Related information
- Differences between SPL and SPL2
SPL to SPL2 conversion tool | SPL2 compatibility profiles |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!