Skip to main content

A fast, zero-dependency linter for Splunk SPL searches.

Project description

splint

CI PyPI Python License: MIT

splint in action

A fast, zero-dependency linter for Splunk SPL searches.

splint catches the performance anti-patterns and style slips that creep into SPL — broad index wildcards, leading wildcards, expensive join/transaction, unbounded sort — before they hit production. It runs anywhere Python 3.11+ runs, has no runtime dependencies, and plugs straight into pre-commit and CI.

It's been run against the entire splunk/security_content detection library (2,000+ real searches) to keep its rules signal-rich and its false-positive rate low.

$ splint examples/sample.spl
examples/sample.spl:1:1: SPL001 `index=*` uses a wildcard; specify explicit indexes to avoid scanning every index.
examples/sample.spl:1:41: SPL002 `user=*admin` has a leading wildcard, which disables efficient term lookups.
examples/sample.spl:2:2: SPL003 `join` is costly and caps subsearch results (default 50k); consider `stats`, `eventstats`, or a `lookup` instead.
examples/sample.spl:3:2: SPL004 `transaction` is memory-intensive and not distributable; prefer `stats` grouped by a correlation field when possible.
examples/sample.spl:4:2: SPL005 `sort` has no limit; add a count (e.g. `sort 100 -_time`) to cap memory and runtime.

Found 5 issues.

Install

Requires Python 3.11+. Works on Linux, macOS and Windows — it's pure Python with no compiled extensions or runtime dependencies.

pip install splint-spl

Or, to keep it isolated as a standalone CLI:

pipx install splint-spl

Usage

splint query.spl                 # lint one or more files
splint *.spl                     # globs work
cat query.spl | splint -         # read from stdin
splint query.spl --format json   # text | json | sarif
splint query.spl --select SPL001,SPL003
splint query.spl --ignore SPL101

Exit codes: 0 no issues, 1 issues found, 2 usage/IO error — ideal for CI.

Rules

Code Name Severity What it flags
SPL001 index-wildcard warning Wildcards in the index= specifier (index=*, index=win*)
SPL002 leading-wildcard info Field values starting with * in the base search (user=*admin)
SPL003 join-usage warning join command (expensive, silently truncates)
SPL004 transaction-usage warning transaction command (memory-heavy, non-distributable)
SPL005 unbounded-sort warning sort without a row count or limit=
SPL101 pipe-spacing info Missing space around the | pipe

Inline suppression

Use an SPL triple-backtick comment containing noqa on the offending line — a bare noqa silences every rule on that line, or list specific codes:

index=* | stats count   ```noqa```           « suppress everything on this line »
index=* | stats count   ```noqa: SPL001```   « suppress only SPL001 »

Configuration

splint reads .spl-lint.toml (whole file) or a [tool.splint] table in pyproject.toml:

[tool.splint]
select = ["SPL001", "SPL002", "SPL003", "SPL004", "SPL005"]
ignore = ["SPL101"]

CLI --select / --ignore override the config file.

pre-commit

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/splforge/splint
    rev: v0.1.0
    hooks:
      - id: splint

Development

pip install -e ".[dev]"
ruff check .
pytest

License

MIT © splforge

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

splint_spl-0.1.0.tar.gz (14.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

splint_spl-0.1.0-py3-none-any.whl (14.6 kB view details)

Uploaded Python 3

File details

Details for the file splint_spl-0.1.0.tar.gz.

File metadata

  • Download URL: splint_spl-0.1.0.tar.gz
  • Upload date:
  • Size: 14.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for splint_spl-0.1.0.tar.gz
Algorithm Hash digest
SHA256 cd4ce91bb645f9e815027662f86c772738a6a550c5e21faee0427bcffe540a85
MD5 d376bb3492dbb844df504eeb0ba22684
BLAKE2b-256 55c03e23832efd90d80c64b8f55bc0454fdea8e5c2f44f44a24cb92541e11220

See more details on using hashes here.

Provenance

The following attestation bundles were made for splint_spl-0.1.0.tar.gz:

Publisher: release.yml on splforge/splint

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file splint_spl-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: splint_spl-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for splint_spl-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d0d0d0a2dece58c5fc216b69f0e8350d5aa5cdca8453f4de6ba895707efb07ee
MD5 f7f828e36e8a31863138d18340af6014
BLAKE2b-256 778c486a67a4397e8aeb1558624e5534a2959200422d9b8ae6bd29c264bcae0e

See more details on using hashes here.

Provenance

The following attestation bundles were made for splint_spl-0.1.0-py3-none-any.whl:

Publisher: release.yml on splforge/splint

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page