How to Streamline Incident Response with the SPL2 Module Editor

Key Takeaways:

• Unified Workspace: Consolidates searches, documentation, and results into a single "Jupyter-like" module to eliminate context switching.

• Inline Documentation: Allows analysts to embed their thought process and hypotheses directly within the search logic for better auditability.

• Named Search Branching: Supports naming searches to reference base results in downstream queries, simplifying complex root cause analysis.

• Developer-Friendly Tools: Features real-time linting, autocomplete, and integrated syntax documentation to speed up query writing.

• Collaborative Investigation: Modules can be shared across teams with specific permissions, ensuring a single source of truth for incident closure.

Incident response and root cause analysis are critical functions for security and operations teams. The ability to quickly and efficiently investigate suspicious activity can significantly impact an organization's security posture and operational continuity. Splunk's next-generation data search and processing language, SPL2, introduces powerful capabilities, including the new SPL2 module editor, which is designed to streamline these complex investigations.  

This article explores how the SPL2 module editor empowers security and operations analysts, offering a centralized and collaborative environment for incident investigation. 

See it in Action (SPL2 Analyst Demo) 

Watch how a security analyst at Buttercup Games uses the SPL2 Module Editor to investigate anomalous shopping behavior, moving from a suspicious IP alert to a documented resolution in a single workspace. 

What is the SPL2 Module Editor?

The SPL2 module editor transforms how analysts approach incident investigation by providing a robust environment for complex queries, data enrichment, root cause analysis, and collaborative documentation, all within a single, auditable framework. SPL2 is a more concise language that supports both SPL and SQL syntax, making it accessible to a wide range of users. It also allows for multiple search statements within a single file, which is a significant enhancement for investigations. 

6 Ways the SPL2 Module Editor Enhances Analyst Workflows

1. Unified Workspace for Comprehensive Incident Analysis

The SPL2 module editor delivers a truly unified workspace for incident analysis, akin to a Jupyter Notebook, fundamentally changing how investigations are conducted. Previously, analysts often found themselves juggling dozens of browser tabs for their searches, constantly switching between the tabs, or performing a "swivel chair" analysis across different tools like word processors to save queries, comments, and thought processes. This fragmented approach led to significant context switching, reduced focus, and a disjointed record of the investigation. 

 Now, with the SPL2 module editor, analysts can consolidate their entire investigation into a single, integrated module. They can name their individual searches and chain them together, breaking down complex inquiries into logical, manageable steps within this one environment. This not only dramatically improves the readability and organization of complex investigations but also allows for everything, from the initial data exploration and query development to the final closing remarks, to be performed and documented in one place. 

 Furthermore, this centralized module evolves into a powerful single source of truth, capable of driving multiple outputs and fostering extensive reusability. Analysts can leverage the meticulously defined searches and logic within a module to power various reports and dashboards, ensuring consistency across all visualizations and centralizing their underlying analytical logic. This capability also streamlines "save as" workflows, allowing analysts to quickly adapt existing investigations for new incidents or create specialized artifacts directly from their comprehensive module. Beyond internal adaptation, the true modularity of SPL2 means that these modules, or specific components within them, can be exported and imported into other modules. This enables seamless sharing of best practices, standardized analytical procedures, and common functions across teams and even different environments. This profound consolidation dramatically streamlines workflows, enhances efficiency, provides a comprehensive and auditable record, and empowers analysts with a truly integrated, reusable, and collaborative investigative platform.  

The following image illustrates an SPL2 module featuring multiple interconnected searches. By naming searches within the editor, you can reference base results in downstream queries, a powerful capability known as branching. 

2. Inline Documentation for Thought Process: A crucial aspect of incident investigation is documenting the analyst's thought process. The module editor allows analysts to embed inline documentation directly within their SPL2 searches. This means that the rationale behind each search, the hypotheses being tested, and preliminary findings can be recorded alongside the queries themselves, creating a rich, self-documenting investigation. For example,  

3. Comprehensive Incident Closure with Integrated Remarks: The module becomes a complete document for the entire investigation. Analysts can include closing remarks, summaries, and conclusions directly within the module. This centralizes all the SPL2 commands, documentation, and final notes, allowing the module itself to serve as the definitive record for closing out an incident, eliminating the need to compile information from disparate sources. For example, 

4. Seamless Collaboration and Sharing: The module editor facilitates unparalleled team collaboration. Investigation modules can be easily saved and shared with other team members, who can then add their own analysis, insights, or further queries, provided they have the necessary access. This capability ensures that complex incidents can be handled by multiple team members seamlessly, fostering a collaborative environment and improving response times.  
 
The following image illustrates the permissions dialog, which allows you to configure access settings when initially saving a module or modifying an existing one. 

5. Enhanced User Experience with Linting, Autocomplete, and In-line Documentation: To help analysts write queries faster and more accurately, the module editor provides developer-friendly features such as linting and autocomplete. Linting helps identify syntax errors and potential issues in real-time, while autocomplete suggests commands, functions, and field names, significantly speeding up the query writing process and reducing errors. Furthermore, integrated in-line documentation provides immediate access to syntax and command usage, eliminating the need for tab switching and keeping analysts fully immersed in their investigation. 
 
As shown below, in-line documentation offers immediate assistance, helping you understand function parameters and usage without leaving the editor 

The following example illustrates the comprehensive in-line command documentation, which provides integrated parameter definitions, practical usage examples, and direct links to full technical documentation. 

6. Intuitive Point-and-Click Query Building and Interactive Data Exploration: The module editor's user interface, particularly the right-hand panel, offers an intuitive point-and-click experience for both query construction and data exploration. Analysts can select fields and commands from a visual interface, which then helps construct the SPL2 queries. This visual assistance lowers the barrier to entry for less experienced users and accelerates query generation for all. Furthermore, within this same panel, users can easily manage all available fields, selecting or deselecting them to tailor the output in their result pane. Clicking on any field instantly displays the distribution of its values, providing immediate insights into data patterns and anomalies directly within the investigative workflow. 

The following image demonstrates how selecting the clientip field surfaces a distribution of the most frequent values, providing both the raw event count and the percentage breakdown for each. 

 The following image illustrates the dataset panel, which displays all accessible data sources available for direct import into the module editor. 

Maximizing Analyst Productivity and Incident Response with SPL2

This article demonstrates how SPL2’s module editor simplifies complex investigations by streamlining workflows, enabling efficient triage, and fostering team collaboration in a single, centralized environment. By integrating named and chained searches, inline documentation, comprehensive incident closure, seamless sharing, and an intuitive user experience, SPL2 enhances analyst productivity and significantly improves incident response effectiveness. SPL2 turbocharges security and observability use cases with rich language capabilities, making it a powerful tool for incident investigation and forensics. 

How to Get Started with SPL2 Today

Ready to streamline your complex investigations and boost productivity? Dive into the SPL2 multi-statement module editor today. Leverage its rich autocomplete and in-product documentation to easily chain multiple search statements, conduct thorough root cause analyses, and group related searches for unparalleled efficiency. You can start exploring the SPL2 module editor in Splunk Enterprise and Splunk Cloud Platform 10.2 (Linux), and dive deeper into its capabilities with our comprehensive documentation. 

Interested in learning more or sharing your experiences with SPL2? We welcome you to join the #spl2 channel.

If you haven't joined the Splunk Slack Community, check out this page to learn more.

Want updates like this sent straight to you? Learn how to subscribe to this blog (and follow Labels you care about) in our quick guide.