Splunk notebooks - splunk/vscode-extension-splunk GitHub Wiki

Splunk notebooks provide the ability to author SPL notes, execute SPL notes as search jobs, and view results.

To get started:

  • Configure the following two Extension Settings:
    • Splunk Rest Url
    • Token
  • Open any file with the .splnb extension.

Preview: SPL2™ in Enterprise notebook Support

For those with access to the SPL2™ in Enterprise Preview the Visual Studio Code Extension for Splunk Enterprise now provides support for SPL2™ notebooks.

SPL2™ notebooks are recognized using either of these filename conventions:

  • Any file with the .spl2nb extension
  • A filename matching modules.json

Setup Extension for SPL2™ Deployment

  • Visit the Extension Settings for the Splunk Extension for VSCode:

  • Enter the REST Url corresponding to your SPL2™ supported deployment with port 8089, example: https://example.splunkcloud.com:8089
  • Create a Splunk token for the Extension to connect to the deployment via REST, login to your deployment and visit Settings > Tokens... or directly visit https://<STACK_HOST>/en-US/manager/launcher/authorization/tokens:

  • Create a "New Token" after Enabling Token Authentication and give an audience (for example "vscode") and copy that token into VSCode Settings under Splunk > Commands: Token

NOTE: The token value can only be read when it is first created so keep this value in case you need it again, you will copy it from this screen after it has been created:

Open SPL2™ compatible file

The SPL2™ features of the VSCode Extension are activated when either of the following file types are opened within VSCode: any modules.json file or any file with the .spl2nb extension.

  1. Open a blank file in VSCode matching modules.json or *.spl2nb
  2. You should see a notebook style editor similar to below, click + Code to add an SPL2™ Code Cell:

  1. Enter your SPL2™ statements. The SPL2™ language server provides autocomplete, code actions (suggesting conversions from SPL1 -> SPL2™ for example), hover documentation of certain commands, and syntax error highlighting. Note: only the last statement will be executed ($q2 in the example below)

  1. To run the SPL2™ cell click the play button "Execute Cell", this will send a request to the /spl2-module-dispatch endpoint on your deployment and you can see a search id created (1688147011.543 in the example below): NOTE: you may need to widen your VSCode window to see the Job ID

  1. The results will then be displayed below the cell:

  1. Pressing the Execute Cell button (or Ctrl + Enter) will run your SPL2™ module for the given cell against the /services/search/spl2-module-dispatch endpoint using the Splunk > Commands: Splunk Rest Url and Splunk > Commands: Token that you set up in Setup Extension for SPL2™ Deployment above.

  2. You can also configure the earliest and latest time window to run the search against by clicking the icons to the lower right of the cell. Valid values include relative times such as @d, -24h, -2d@d+2h, now and also Epoch seconds such as 1687909025:

⚠️ **GitHub.com Fallback** ⚠️