Using SPL2 to improve incident investigation and root cause analysis

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You are a security analyst who encounters the following challenges when investigating incidents with the Splunk platform:

Too many tabs for each search, making it hard to debug, with no support for iteration
Difficult for teams to collaborate on findings
Low discoverability of indexes, lookups, and other features, which increases reliance on experts for help
Fragmented workflow across multiple links, tabs, and tools for reporting, write-ups, and summaries of results

You want to learn how using SPL2 can help address these challenges.

How to use Splunk software for this use case

SPL2 is an evolution of SPL, not a completely new search language. It is available in Splunk Cloud Platform 10.2.0.2511 and higher and Splunk Enterprise 10.2 or higher for *nix operating systems.

There are some versions of Linux that are not supported in version 10.2. See the SPL2 Known issues for a list of these versions.

Switching to SPL2 requires minimal or no rewriting of the SPL queries you have already created. It is as performant as SPL and uses minimal additional processing power. SPL2 has the following characteristics:

More expressive
Multi-modal (SPL and SQL-like syntax)
Standardized
Unified across all Splunk products

How can SPL2 help?

SPL2 features a knowledge object called a module, which is like a centralized investigative notebook. Modules have the following features:

They can contain many searches, and you can choose which ones to run individually at any time.
Modules can hold comments and notes on searches to help other team members understand searches.
Searches can be chained and branched so only specific searches run based on the results from a previous search.
Modules can be exported and shared to improve collaboration, and other users can build on top of the searches already in the module.

Watch the following video to see a demo of how modules can improve your incident investigations.

Additional resources

Now that you have an introduction to some of the powerful features of SPL2, watch the full .Conf25 talk, A deep dive into SPL2: How does it actually compare to SPL?. In the talk, you'll learn about additional features and listen to questions and answers from the live audience.

Splunk Help: What is SPL2?
Splunk Help: SPL2 Search Reference Introduction
Splunk Help: SPL2 modules and statements
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.