Boost Productivity with SPL2: The Next-Gen Language for Splunk

What's next?

Here are a few more resources you might find helpful:

Tech Talks​

• Generative AI for SPL -- Faster Results​
  ​

Blogs​

• Introducing SPL2: The Next-Generation Search & Data Preparation Language for Splunk​
• Announcing Splunk Enterprise 10.2 & Splunk Cloud Platform 10.2 – Next Generation Querying & Analytic...​
• How to Streamline Incident Response with the SPL2 Module Editor ​

Videos​

• How SPL2 Simplifies Security Investigations and Admin Workflows in Splunk

Here are a few top of mind questions from the live Tech Talk

Q. What version of Splunk Enterprise is this available in?

A. SPL2 for search & reporting is available in Splunk Enterprise 10.2: Introducing SPL2: The Next-Generation Search & Data Preparation Language for Splunk 

Q. Is the regular SPL going away and we have to all move to SPL2?

A. No, standard SPL is not being deprecated. SPL2 is designed to complement and extend the capabilities of existing SPL, offering enhanced features. We will support both, and we encourage you to explore SPL2 to see how its new features might benefit your specific use cases.

Q. How do you keep large SPL2 apps fast when many modules depend on each other?

A. While SPL2 is a newer capability, the foundational principles of search optimization remain highly relevant. Many of the optimization techniques used for standard SPL, such as filtering early and narrowing the scope of your data, are equally effective in SPL2. We recommend applying these established best practices to your SPL2 applications as they scale. You can find a comprehensive guide on these techniques here: Quick tips for optimization.

Q. Are there any plans to expand SPL2 integration to other Cisco products, outside of Splunk?

A. Currently, SPL2 is available within the Edge, Ingest Processor, and the Search & Reporting app. We are continuously evaluating our product roadmap and will share updates regarding any future integrations as they become available.

Q. Are there any other new features in Splunk 10.2 besides SPL2?

A. Yes, you can find all about them here: Announcing Splunk Enterprise 10.2 & Splunk Cloud Platform 10.2 – Next Generation Querying & Analytic.... 

Q. Will be an a new Splunk SPL 2 certification?

A. We currently offer training courses on SPL2 and are actively working to expand our educational content. While there is no dedicated SPL2 certification at this time, we will share updates through our official channels should that change in the future. In the meantime, you can explore our available training resources here: Training & Certification.

Q. What technical mistakes do teams make most often when moving from SPL to SPL2?

A. As SPL2 is in the early stages of adoption within the Search & Reporting app, we are still gathering feedback and best practices from our users. At this time, we haven't identified any common technical pitfalls. To assist with your transition, we recommend utilizing the built-in SPL to SPL2 conversion tool, which is designed to streamline the process and help you adapt your existing queries. As more teams adopt SPL2, we look forward to sharing further insights and guidance. SPL to SPL2 conversion tool help document.

Q. How do you keep large SPL2 apps fast as they grow?

A. While SPL2 is a newer capability, the foundational principles of search optimization remain highly relevant. Many of the optimization techniques used for standard SPL, such as filtering early and narrowing the scope of your data, are equally effective in SPL2. We recommend applying these established best practices to your SPL2 applications as they scale. You can find a comprehensive guide on these techniques here: Quick tips for optimization.

Q. Do we have debugging capabilities in SPL2 to see what's going wrong while querying?

A. Yes, here you can find some resources to help:

• Manage search jobs
• SPL2 module editor overview

Q. Are there any native functions in scripting that will automatically connect to a Splunk instance to be able to perform the SQL like queries and then have those queries return formatted information? Similar to how SQL returns information?

A. Currently, we do not have a tool available that meets those specific requirements but the REST API reference can be used as a guide to creating SPL2 jobs utilizing SQL syntax.

Q. Will there be any new AI features in 10.2?

A. Here are some AI announcements: From Weeks to Minutes: Accelerating Data Intelligence with AI-Powered Data Management.

Q. Is this available specifically for on prem version not cloud version?

A. SPL2 for search & reporting is available in Splunk Enterprise 10.2: Introducing SPL2: The Next-Generation Search & Data Preparation Language for Splunk.

Q. If we utilize MySQL based queries for existing scripts, are there conversion functions for PHP readily available to use Splunk as the database? If not, how do we accomplish?

A. Currently, we do not have a tool available that meets those specific requirements but in general, ANSI-compatible queries are valid in SPL2.

Q. Can macros created in SPL be invoked in SPL2?

A. No, here you can find more information: spl1 command: Overview, syntax, and usage.