Splunk® Enterprise

Admin Manual

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install SPL2-based apps

Beta features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this Beta feature available in its sole discretion and may discontinue it at any time. Use of Beta features is subject to the Splunk General Terms.

SPL version 2 (SPL2) is a product-agnostic, intuitive language that has the best of both query and programming languages. SPL2 supports SPL and SQL syntax patterns.

For this Beta you must use a pre-release version of Splunk Enterprise. These Beta features are not included in version 9.2.1, or any other released version of Splunk Enterprise.

This documentation is designed for Splunk administrators who are participating in the Beta of SPL2-based application development. Refer to SPL2 Public Beta overview in the Splunk Developer Guide on dev.splunk.com for more information about using the pre-release version of the Beta, which can be found on the Splunk Voice of the Customer portal.

This Beta is supported on the following operating systems:

  • Linux
  • MacOS

You can install and run SPL2-based applications in a pre-release version of Splunk Enterprise as part of this Beta.

Supported architectures

This Beta is supported on the following architectures which are described in the PDF Validated Splunk Architectures:

  • Single Server Deployment (SVA S1)
  • Distributed Non-Clustered Deployment (D1)
  • Distributed Clustered Deployment - Single Site (C1 / C11)
  • Distributed Clustered Deployment + SHC - Single Site (C3 / C13)

New terminology

The following table describes some of the new terms you might encounter in this documentation:

Term Description
dataset A dataset is a collection of data. Indexes, lookups, views, and jobs are different kinds of datasets.
statements SPL2 statements are searches and other types of data-related code, such as:
  • Import and export statements
  • Custom function statements
  • Custom data type statements
module A module is like a file that contains one or more SPL2 statements.
data orchestrator The Splunk data orchestrator is a new software component that parses and routes SPL2 modules to splunkd.

For more about modules, datasets, and statements, see the following documentation in the SPL2 Search Manual:

For more information about SPL2-based applications, see Create a SPL2-based app in the Developer Guide on dev.splunk.com.

Prerequisites

  • A pre-release version of Splunk Enterprise.
    • To install an SPL2-based application, you must download the pre-release version of Splunk Enterprise. To get the pre-release version, access the SPL2 Public Beta for Application Development on the Splunk Voice of the Customer site. You must login with a splunk.com account to access the Beta.
  • Port 9800.
    • The pre-release version has SPL2 enabled and uses port 9800 to connect to the Splunk data orchestrator. The Splunk data orchestrator is a new software component that parses and routes SPL2 modules to splunkd. The data orchestrator creates a log file in the SPLUNK_HOME/var/log/splunk directory.
    • If for some reason port 9800 is not available to use for this Beta, you can designate another port to connect to the data orchestrator. See Edit the SPL2 configuration on the pre-release instance in the Splunk Developer Guide.

Get help or provide feedback on the Beta

Use slack or email to request help or make comments about this Beta:

Beta limitations

The following sections describe the current limitations in this Beta. These sections are updated when a limitation is removed or changed.

Orchestrator service error on macOS

If you receive an error referencing the orchestrator service after you install the pre-release version of Splunk Enterprise on macOS, there is an issue with the $TMPDIR setting.

Try following steps to workaround this issue:

  1. Open a different terminal window.
  2. Restart the pre-release Splunk Enterprise instance. This might reset the $TMPDIR setting.

If restarting the pre-release version of Splunk Enterprise does not resolve the issue, then try these steps:

  1. Set $TMPDIR to a known existing, writable directory.
    For example: export TMPDIR=$SPLUNK_HOME/spl2_install_tmp
  2. Restart the pre-release Splunk Enterprise instance.

Dataset limitations

In this Beta, only the following types of datasets are supported:

  • Indexes
  • Lookups
  • Saved searches

Knowledge object limitations

In this Beta, the supported knowledge objects (KOs) are identified in the following table:

Knowledge object Supported in this Beta
Alerts Yes
Dashboards Yes
Data models No
Event types No
Fields Yes
Field extractions No
Lookups Yes
Reports Yes
Saved searches Yes
Tags No
Workflow actions No

SPL2 function scope limitation

An SPL2 custom function cannot reference a search statement that is defined outside of the SPL2 function. For more information about this limitation, see SPL2 Public Beta overview in the Splunk Developer Guide on dev.splunk.com.

Install an SPL2-based app

In this Beta, Splunk administrators can install and use SPL2-based applications on the pre-release version of Splunk Enterprise.

Complete the following steps to install a SPL2-based application. For information about basic app installation, see About installing Splunk add-ons in the Splunk Add-ons manual.

  1. Save the SPL2-app on your pre-release version of Splunk Enterprise.
  2. On the Splunk Web home screen, select the Apps drop-down and then select Manage apps.
  3. Select the Install app from file button.
  4. Locate the app file and select Upload. You might be prompted to restart the Splunk Enterprise instance.
  5. Verify that the app appears in the list of apps and add-ons. You can also find the app on your pre-release instance at $SPLUNK_HOME/etc/apps/<app_name>.
  6. Read the README file that is included with the app.

The application is installed in the /apps/default/data/spl2 directory. Modules are not installed on indexers. The following image shows an app that consists of 3 modules: setup, _default, and functions.

This image shows the installation path for applications. In the spl2 directory, three modules are shown: setup.spl2, _default.spl2, and functions.spl2.

After installation, all application modules in the /apps/default/data/spl2 directory are automatically uploaded and stored in your instance. If the files in your /apps/local/data/spl2 and /apps/default/data/spl2 directories have the same name, then the local directory takes precedence. The file in the local directory is uploaded instead, but both files are preserved in their respective directories.

If you make changes to these modules in these directories later, they will not automatically upload unless you re-install the app. This process occurs only at installation. To learn how to modify an app later, see Manage SPL2-based apps.


See also

  • To learn how to modify an SPL2-based app, see Manage SPL2-based apps.
  • To learn how to create an SPL2-based app, see Create a SPL2-based app in the Developer Guide for Splunk Cloud Platform and Splunk Enterprise on the Splunk Developer Portal.
Last modified on 13 November, 2024
Managing app and add-on configurations and properties   Manage SPL2-based apps

This documentation applies to the following versions of Splunk® Enterprise: 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters