Skip to content

The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries.

Notifications You must be signed in to change notification settings

inodee/spl-to-kql

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 

Repository files navigation

Kusto for Splunkers: Why this?

The idea is to make it easier for Splunk users to leverage KQL (migrations, hybrid environments, consultants). The way the data (stream) is manipulated is of course different, the goal here is to get a head start before diving into formal KQL documentation.

Please note I've only played for a few hours before writing this 🐣 therefore feedback and suggestions are more than welcome!

If you are looking for code translators or something similar, consider this project (never used though): https://uncoder.io

How to get started?

For me the easiest was to get access to Azure's Data Explorer and start playing from there as it provides multiple datasets for interactiing and even allowing charts/dataviz rendering.

You can also start from MS Tutorials on how to write KQL queries.

KQL Doc Reference

Kusto Query Language (KQL) reference doc

Also consider this nice cheatsheet doc from Markus Bakker: https://github.com/marcusbakker/KQL/blob/master/kql_cheat_sheet_v01.pdf

SPL-to-KQL Cheatsheet

SPL Quick Reference doc can be found here.

Notes:

  • In SPL we usually refer to fields instead of columns. In KQL docs there are many references similar to SQL lang.
  • In SPL, every command starts with a pipe (|). Likewise, in KQL, each filter prefixed by the pipe is an instance of an operator.
  • Aforementioned pipe char (SPL's command prefix) is suppressed from the table below for simplicity, except for multi-line examples.
  • Of course, some commands are better compared from a "use case" perspective, therefore no 1-to-1 mapping possible as each language has its particularities.
SPL KQL Remarks
head 
take 
limit is a synonym. Consider sorting for consitency (SPL's head/tail).
table <field(s)>
project <field(s)>
Multiple columns are separated by comma (,). More project uses below.
fields - <field(s)>
project-away <field(s)>
Also consider project-keep
rename source_addr AS src_ip
project-rename source_addr = src_ip
I haven't figured out how to use wildcards. Also check this.
search OS="win"
where OS contains "win"
Also consider search
where OS="Windows 10"
where OS=="Windows 10"
Case sensitive
search OS="windows 10"
where OS=~"windows 10"
Case insensitive
search OS IN ("windows", "linux")
where OS in~ ("windows", "linux")
Case insensitive full-match (implied OR operation)
where match(OS, "")
where OS matches regex ""
Complies with re2 https://github.com/google/re2/wiki/Syntax
eval shake = milk."+".fruit
extend shake = strcat(milk, "+", fruit)
Many more string operators here
| makeresults
| eval fruit="strawberry"
| eval emo=if(
match(fruit,"berry"), ":)", ":("
)
| fields - fruit, _time
print fruit="blueberry", _time=now()
| project emo=iff(fruit contains_cs "berry",":)",":(")
Using project while evaluating a new column/field
eval sum = num1 + num2
extend sum = num1 + num2
Also consider understanding let statement (many other use cases)
base search for StormEvents
| stats count AS c1
StormEvents
| summarize c1=count()
Also consider count operator. Similar use for distinct counting with dcount
base search for StormEvents
| stats count(eval(len(State)>10)) AS c1
StormEvents
| summarize c1=countif(strlen(State)>10)
Also consider count operator
base search for StormEvents
| stats dc(eval(match(state, "^I"))) AS c1
StormEvents
| summarize c1=dcountif(State, State startswith "I")
Also consider count operator
base search for StormEvents
| stats c by State, EventType
| sort 5 -num(c)
StormEvents
| summarize c=count() by State, EventType
| top 5 by c
KQL's top behaves differently (EventType is kept in the output) rather than SPL's transformation top (see below)
base search for StormEvents
| top 5 State
StormEvents
| summarize c=count() by State
| top-hitters 5 of State by c
A combination of summarize, sort and take is also possible here
| bin _time span=1d
| eval DoY=strftime(_time, "%j")
format_datetime, datetime_part and summarize's bin() No clear equivalent here, depends on use case
rex, replace parse, parse-where Fields extraction and string replacement
No specific command for Charts and Dashboards render (chart type is a parameter) Some quick chart and dashboard examples here & there

About

The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published