Install SPL2-based apps
Beta features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this Beta feature available in its sole discretion and may discontinue it at any time. Use of Beta features is subject to the Splunk General Terms.
SPL version 2 (SPL2) is a product-agnostic, intuitive language that has the best of both query and programming languages. SPL2 supports SPL and SQL syntax patterns.
For this Beta you must use a pre-release version of Splunk Enterprise. These Beta features are not included in version 9.2.1, or any other released version of Splunk Enterprise.
This documentation is designed for Splunk administrators who are participating in the Beta of SPL2-based application development. Refer to SPL2 Public Beta overview in the Splunk Developer Guide on dev.splunk.com for more information about using the pre-release version of the Beta, which can be found on the Splunk Voice of the Customer portal.
This Beta is supported on the following operating systems:
- Linux
- MacOS
You can install and run SPL2-based applications in a pre-release version of Splunk Enterprise as part of this Beta.
Supported architectures
This Beta is supported on the following architectures which are described in the PDF Validated Splunk Architectures:
- Single Server Deployment (SVA S1)
- Distributed Non-Clustered Deployment (D1)
- Distributed Clustered Deployment - Single Site (C1 / C11)
- Distributed Clustered Deployment + SHC - Single Site (C3 / C13)
New terminology
The following table describes some of the new terms you might encounter in this documentation:
Term | Description |
---|---|
dataset | A dataset is a collection of data. Indexes, lookups, views, and jobs are different kinds of datasets. |
statements | SPL2 statements are searches and other types of data-related code, such as:
|
module | A module is like a file that contains one or more SPL2 statements. |
data orchestrator | The Splunk data orchestrator is a new software component that parses and routes SPL2 modules to splunkd. |
For more about modules, datasets, and statements, see the following documentation in the SPL2 Search Manual:
For more information about SPL2-based applications, see Create a SPL2-based app in the Developer Guide on dev.splunk.com.
Prerequisites
- A pre-release version of Splunk Enterprise.
- To install an SPL2-based application, you must download the pre-release version of Splunk Enterprise. To get the pre-release version, access the SPL2 Public Beta for Application Development on the Splunk Voice of the Customer site. You must login with a
splunk.com
account to access the Beta.
- To install an SPL2-based application, you must download the pre-release version of Splunk Enterprise. To get the pre-release version, access the SPL2 Public Beta for Application Development on the Splunk Voice of the Customer site. You must login with a
- Port 9800.
- The pre-release version has SPL2 enabled and uses port 9800 to connect to the Splunk data orchestrator. The Splunk data orchestrator is a new software component that parses and routes SPL2 modules to splunkd. The data orchestrator creates a log file in the
SPLUNK_HOME/var/log/splunk
directory. - If for some reason port 9800 is not available to use for this Beta, you can designate another port to connect to the data orchestrator. See Edit the SPL2 configuration on the pre-release instance in the Splunk Developer Guide.
- The pre-release version has SPL2 enabled and uses port 9800 to connect to the Splunk data orchestrator. The Splunk data orchestrator is a new software component that parses and routes SPL2 modules to splunkd. The data orchestrator creates a log file in the
Get help or provide feedback on the Beta
Use slack or email to request help or make comments about this Beta:
- Use the
#spl2
channel in the splunk-usergroups Slack workspace. - Email us at
spl2@splunk.com
.
Beta limitations
The following sections describe the current limitations in this Beta. These sections are updated when a limitation is removed or changed.
Orchestrator service error on macOS
If you receive an error referencing the orchestrator service after you install the pre-release version of Splunk Enterprise on macOS, there is an issue with the $TMPDIR setting.
Try following steps to workaround this issue:
- Open a different terminal window.
- Restart the pre-release Splunk Enterprise instance. This might reset the $TMPDIR setting.
If restarting the pre-release version of Splunk Enterprise does not resolve the issue, then try these steps:
- Set $TMPDIR to a known existing, writable directory.
For example:export TMPDIR=$SPLUNK_HOME/spl2_install_tmp
- Restart the pre-release Splunk Enterprise instance.
Dataset limitations
In this Beta, only the following types of datasets are supported:
- Indexes
- Lookups
- Saved searches
Knowledge object limitations
In this Beta, the supported knowledge objects (KOs) are identified in the following table:
Knowledge object | Supported in this Beta |
---|---|
Alerts | Yes |
Dashboards | Yes |
Data models | No |
Event types | No |
Fields | Yes |
Field extractions | No |
Lookups | Yes |
Reports | Yes |
Saved searches | Yes |
Tags | No |
Workflow actions | No |
SPL2 function scope limitation
An SPL2 custom function cannot reference a search statement that is defined outside of the SPL2 function. For more information about this limitation, see SPL2 Public Beta overview in the Splunk Developer Guide on dev.splunk.com.
Install an SPL2-based app
In this Beta, Splunk administrators can install and use SPL2-based applications on the pre-release version of Splunk Enterprise.
Complete the following steps to install a SPL2-based application. For information about basic app installation, see About installing Splunk add-ons in the Splunk Add-ons manual.
- Save the SPL2-app on your pre-release version of Splunk Enterprise.
- On the Splunk Web home screen, select the Apps drop-down and then select Manage apps.
- Select the Install app from file button.
- Locate the app file and select Upload. You might be prompted to restart the Splunk Enterprise instance.
- Verify that the app appears in the list of apps and add-ons. You can also find the app on your pre-release instance at $SPLUNK_HOME/etc/apps/<app_name>.
- Read the README file that is included with the app.
The application is installed in the /apps/default/data/spl2 directory. Modules are not installed on indexers. The following image shows an app that consists of 3 modules: setup, _default, and functions.
After installation, all application modules in the /apps/default/data/spl2 directory are automatically uploaded and stored in your instance. If the files in your /apps/local/data/spl2 and /apps/default/data/spl2 directories have the same name, then the local directory takes precedence. The file in the local directory is uploaded instead, but both files are preserved in their respective directories.
If you make changes to these modules in these directories later, they will not automatically upload unless you re-install the app. This process occurs only at installation. To learn how to modify an app later, see Manage SPL2-based apps.
See also
- To learn how to modify an SPL2-based app, see Manage SPL2-based apps.
- To learn how to create an SPL2-based app, see Create a SPL2-based app in the Developer Guide for Splunk Cloud Platform and Splunk Enterprise on the Splunk Developer Portal.
Managing app and add-on configurations and properties | Manage SPL2-based apps |
This documentation applies to the following versions of Splunk® Enterprise: 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!