Build Your First SPL2 App!

Please find more resources as you continue on your journey below:

• Download the SPL2 public beta from the Splunk VOC portal
• Blog post announcement
• Build an SPL2 app: Developer documentation
• Use an SPL2 app: Admin documentation
• SPL2 language documentation
• Splunk Extension for Visual Studio Code
• SPL2 API guide
• #spl2 channel in Splunk user-groups Slack workspace

Check out the Q&A from this session:

Q: Will lambda expressions be marked as potentially unsafe/restricted by default (similar to the current | map command)?

A: Would love to hear more about this, can you share about why you're concerned about whether they're unsafe? Lambda expressions are just shorthand for bulk operations that would require many more lines of code.

Q: The |map command is currently marked as such by AppInspect, and you won't be able to mark your app as Cloud compatible in Splunkbase if it contains the | map command in any of the shipped KOs. I think the general idea of the AppInspect team is that the | map command can get resource intensive if it's improperly written. I was wondering since lambda functions can have the same issues.

A: The examples we showed with the spl2 map and reduce eval functions which used lambda functions will not be marked as unsafe, they are separate from the | map command you're referring to which operates on an entire event stream.

Q: When I enter an SPL command using backticks, can the command include a macro (also enclosed in backticks)?

A: Yes absolutely. SPL2 ultimately transpiles to SPL for Splunk Enterprise use cases so any conf references (macros, modular regular expressions, etc) will be valid.

Q: Maybe too early to ask, but any plans for any sort of SPL2 AI assistant (LLM, copilot...)?

A: Maybe in the future, but not yet 🙂

Q: I've just installed the open beta to try it out but have a 'license expired' notification and can't run any searches. This is a fresh install. Is it ok to use my dev license?

A: Hi, you need to request a license by filling out the survey on the top of the page first. We will send you a license shortly once you fill that out!

Q: Does the $search (beginning of chain) have to be the first in a search or can it be anywhere?

A: For streaming commands being defined by an SPL2 function the first parameter ($source) will always be the incoming data stream.

Q: Is Edge Processor same as the Data streams processor (DSP) - can the forwarders do the job like Edge processor?

A: Hi, great question! Edge Processor achieves many of the same outcomes of DSP, but is not the same product. Edge Processor can be thought of as the successor to DSP 🙂

Q: Is SPL2 applicable when building TA (technology add-on) as well?

A: Good question, not at this point in time. SPL2 is supported for search-time apps only.

Q: Just a follow-up, is SPL2 applicable for building ITSI Content Packs also?

A: At this point, the answer is no. This is planned for the future.

Q: Sorry, new to SPL - isn't the macro achieving the same thing?

A: SPL2 custom functions can be thought of as very similar to macros, with a few more capabilities (e.g., optional data type validation for arguments and outputs).

Q: Is SPL2 compatible with custom commands ? Is it possible to write custom commands (e.g. via functions) using Python directly from SPL2 ?

A: Not directly at this point in time. You can do this via embedded SPL, however.

Q: This looks great, whats the impact on SVC license of using SPL2?

A: At this point, we think it's negligible for the vast majority of use cases.

Q: Can we enable SPL2 in search&reporting app for all our customers to run searches on the search instead of using separate app ?

A: Yes, you can do this by adding a _default module to any existing app.

Q: is spl2 available in xml dashboards

A: Absolutely, you just need to use that | @spl2 syntax wherever your Simple XML references an SPL search and (for now) using the SPL2 on Splunk Enterprise Beta.

Q: Will/Is SPL2 available for Splunk Cloud?

A: SPL2 is not yet available for Splunk Cloud but we are actively working towards enabling that, stay tuned!

Q: Is Visual Studio and the Splunk Extension the general favorite for an IDE for keeping track of your code/files/modules, etc?

A: Yes! It's great for props & transforms editing, Python script authoring, SPL2 modules, etc.