We’re thrilled to announce the public beta of SPL2 on Splunk Enterprise! SPL2, Splunk’s next-generation data search and processing language, introduces consistency across batch & stream data preparation, as well as SQL syntax & programming concepts, to Splunk’s ultra-powerful SPL language. With this public beta in Splunk Enterprise, app developers, including partners, in-house app developers, citizen developers and more, are empowered to build supercharged Splunk applications!
Even more exciting, we’re happy to share that we’ve partnered with CyberCX, one of our many key Splunk partners, to highlight some of the most groundbreaking capabilities in SPL2, with the development of CyberCX’s Intel Hunt for Splunk application using SPL2. SPL2 represents a massive step forward in unifying the data fabric & helping organizations enhance their digital resiliency in security & observability! Click here to read more about CyberCX’s use of SPL2.
If you’ve been following along, you know that SPL2 launched with the Splunk Edge Processor solution last year, and with the Preview of Splunk Ingest Processor earlier this year. As an evolution of SPL to extend the powers of your favorite commands to streaming data, SPL2 defines the processing pipelines in these solutions, allowing data admins to flexibly write commands & functions to filter, mask, route, & transform data in motion.
Now, with the availability of SPL2 in Splunk Enterprise in this public beta, customers can use a consistent language to manipulate data across streaming data preparation and search of data at rest. Employing a single language across the Splunk platform to unlock value from data makes Splunk even more accessible to security & IT practitioners, analysts, developers, and engineers from all backgrounds.
SPL2 takes the best of SPL (while maintaining backwards compatibility) and adds support for SQL-style syntax and developer concepts found in other languages like Java and Python. This means it’s multi-modal: you can write SPL2 with SPL-style syntax or SQL-style syntax! With the ability to integrate with multiple runtimes, including streaming runtimes like Edge & Ingest Processor and search runtimes like splunkd, SPL2 delivers a consistent language interface across the Splunk platform for batch & stream data processing. With a consistent language across the Splunk platform, customers save time and money on training users on different tools, increasing skill transferability and promoting sharing & reuse. It’s one language, designed for the database analyst using Splunk search for the first time, the data admin trying to centralize & control hundreds of data ingestion pipelines, and the developer looking to create the most powerful Splunk app without resorting to difficult-to-manage custom integrations.
Let’s focus on that last one - leveraging SPL2 as a tool to create next-generation Splunk apps, doing things that could never be done before in SPL. That’s right, in addition to your favorite SPL commands and eval functions, SPL2 adds multiple developer-friendly features with programming language concepts, to make apps even more powerful:
So, how can Splunk apps take the next step forward with SPL2? The magic lies in a new knowledge object called a module file. An SPL2 module is a text file that can contain related SPL2 functions, searches, view datasets, and other items to power your app, much like a Python script or a Java file. You can create powerful programs, function libraries, and more within these modules, export the items you create, and reuse those items in your knowledge objects. Module files are shipped within apps, in the new directory $SPLUNK_HOME/etc/apps/default/data/spl2.
Anatomy of SPL2 in a Splunk app
Developers can author these modules using the Splunk Extension for Visual Studio Code, now enhanced to support an SPL2 module editor. These modules allow developers to write & ship SPL2 that tackles use cases that were previously extremely difficult (requiring custom development or 3rd party integrations) or impossible to achieve. For example, the following is all SPL2:
An SPL2 module in VS Code with imports, searches, exports, function declarations, and SPL & SQL syntax
But don’t worry! SPL2 can also be used where SPL is used - as single search statements to power reports, dashboards, and other knowledge objects, like the dashboard shown below. The SPL2 that is used to power knowledge objects can leverage the items built & exported within modules, like the one shown above.
A Dashboard Studio dashboard, powered by SPL2 & reading from an SPL2 module.
The combination of SPL2 modules, and SPL2 statements leveraging those modules to power knowledge objects, allows unlimited flexibility for developers and admins. Developers can customize their apps with rich SPL2 code, without exposing that code complexity to users, by packaging the logic in the “under-the-hood” modules and only exposing relevant items via exports. Meanwhile, admins can build custom, in-house apps to provide out-of-box functions & searches to users, as well as take advantage of granular data access control as a feature of SPL2.
…and we’re just scratching the surface! SPL2 ushers in a new generation of app building in the Splunk ecosystem. But don’t just take our word for it - head on over to see how CyberCX strengthens their portfolio with a point-and-click threat hunting application, built using SPL2.
A public beta build of Splunk Enterprise with SPL2 support is available now:
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.