Introduction
The Search Processing Language (SPL) is a set of commands that you use to search your data.
There are two versions of SPL: SPL and SPL, version 2 (SPL2). This manual describes SPL2.
If you are looking for information about using SPL:
For Splunk Cloud Platform, see Search Reference in the Splunk Cloud Platform documentation.
For Splunk Enterprise, see Search Reference in the Splunk Enterprise documentation.
What is SPL2?
SPL2 is a product-agnostic, intuitive language that includes the best of both query and scripting languages. SPL2 supports both SPL and SQL syntax patterns. SPL2 is designed to work with the variety of runtimes in the Splunk portfolio. SPL2 is fully backwards compatible with SPL, and can operate in parallel with SPL.
With SPL2, you can create multiple search statements in a single file. You can create user-defined functions and data types for custom processing that are highly composable and reusable. You can share these items with others using import and export operations.
The following table describes the advantages of using SPL2 for different types of users:
| SPL2 persona | Usage |
|---|---|
| End-users | SPL2 is a search language that supports both SPL and SQL syntax. |
| Application developers | SPL2 is a powerful development and scripting language. |
| Data administrators | SPL2 is a data preparation language. |
There are several reason why SPL2 was created:
- SPL2 reduces the barrier to learning the Splunk search processing language for new users.
- With SPL2, users no longer need to have wide and deep expertise in multiple tools.
- You can use SPL2 uniformly against data in-motion and data at rest.
- SPL2 turbocharges security and observability use cases with rich language capabilities.
Where SPL2 is used?
Several Splunk products use SPL2:
- Splunk Edge Processor on Splunk Cloud Platform
- Splunk Ingest Processor (Preview) on Splunk Cloud Platform
- SPL2 for Application Development (Beta) on Splunk Enterprise
- Splunk Search Experience (Preview)
Splunk Data Stream Processor (DSP) uses a set of custom functions, some of which are similar to SPL2 commands and functions. See DSP functions by category in the Splunk Data Stream Processor Function Reference.
Learning SPL2
SPL2 makes the search language easier to use, removes infrequently used commands, and improves the consistency of the command syntax.
There are two Splunk manuals that contain information about SPL2:
- SPL2 Search Reference
- The SPL2 Search Reference (this manual) contains reference information about the SPL2 search commands, command syntax, data types, and functions.
- SPL2 Search Manual
- The SPL2 Search Manual contains information about how to use SPL2 commands effectively. You'll learn how to get started searching, how to use expressions and predicates, even how to add comments to your search strings.
Useful links to SPL2 documentation
The following list contains links to SPL2 getting started and quick reference information:
- Understanding SPL2 Syntax
- SPL2 Command Quick Reference
- Quick Reference for SPL2 eval functions
- Quick Reference for SPL2 Stats and Charting Functions
- Start searching using SPL2 in the SPL2 Search Manual
- Types of expressions in the SPL2 Search Manual
- Differences between SPL and SPL2
- New features in SPL2
| Understanding SPL2 syntax |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!