{"id":21889541,"url":"https://github.com/inodee/spl-to-kql","last_synced_at":"2025-03-22T02:41:57.683Z","repository":{"id":205585548,"uuid":"310274236","full_name":"inodee/spl-to-kql","owner":"inodee","description":"The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries.","archived":false,"fork":false,"pushed_at":"2020-11-07T18:11:01.000Z","size":59,"stargazers_count":39,"open_issues_count":0,"forks_count":6,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-26T20:46:48.771Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/inodee.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-11-05T11:11:24.000Z","updated_at":"2025-01-07T19:15:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"66e6f801-8565-48c6-9d11-756d97a6a1a6","html_url":"https://github.com/inodee/spl-to-kql","commit_stats":null,"previous_names":["inodee/spl-to-kql"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inodee%2Fspl-to-kql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inodee%2Fspl-to-kql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inodee%2Fspl-to-kql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inodee%2Fspl-to-kql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/inodee","download_url":"https://codeload.github.com/inodee/spl-to-kql/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244898408,"owners_count":20528335,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-28T11:24:51.845Z","updated_at":"2025-03-22T02:41:57.647Z","avatar_url":"https://github.com/inodee.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kusto for Splunkers: Why this?\nThe idea is to make it easier for Splunk users to leverage KQL (migrations, hybrid environments, consultants). The way the data (stream) is _manipulated_ is of course different, the goal here is to get a head start before diving into formal KQL documentation.\n\nPlease note I've only played for a few hours before writing this :hatching_chick: therefore feedback and suggestions are more than welcome!\n\nIf you are looking for _code translators_ or something similar, consider this project (never used though): https://uncoder.io\n\n## How to get started?\nFor me the easiest was to get access to [Azure's Data Explorer](https://dataexplorer.azure.com) and start playing from there as it provides multiple datasets for interactiing and even allowing charts/dataviz rendering.\n\nYou can also start from [MS Tutorials](https://docs.microsoft.com/en-us/azure/data-explorer/write-queries) on how to write KQL queries.\n\n### KQL Doc Reference\n\n[Kusto Query Language (KQL) reference doc](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/)\n\nAlso consider this nice cheatsheet doc from Markus Bakker: https://github.com/marcusbakker/KQL/blob/master/kql_cheat_sheet_v01.pdf\n\n# SPL-to-KQL Cheatsheet\nSPL Quick Reference doc can be found [here](https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/ListOfSearchCommands).\n\nNotes:\n* In SPL we usually refer to _fields_ instead of _columns_. In KQL docs there are many references similar to SQL lang.\n* In SPL, every _command_ starts with a pipe (|). Likewise, in KQL, each filter prefixed by the pipe is an instance of an [operator](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/queries).\n* Aforementioned pipe char (SPL's command prefix) is suppressed from the table below for simplicity, except for multi-line examples.\n* Of course, some commands are better compared from a \"use case\" perspective, therefore no 1-to-1 mapping possible as each language has its particularities.\n\n| SPL | KQL | Remarks |\n| --- | --- | --- |\n|\u003cpre\u003ehead \u003cn\u003e\u003c/pre\u003e | \u003cpre\u003e[take](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/takeoperator) \u003cn\u003e\u003c/pre\u003e | `limit` is a synonym. Consider sorting for consitency (SPL's head/tail).\n|\u003cpre\u003etable \u003cfield(s)\u003e\u003c/pre\u003e | \u003cpre\u003e[project](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectoperator) \u003cfield(s)\u003e\u003c/pre\u003e | Multiple columns are separated by comma (,). More `project` uses below.\n|\u003cpre\u003efields - \u003cfield(s)\u003e\u003c/pre\u003e | \u003cpre\u003e[project-away](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator) \u003cfield(s)\u003e\u003c/pre\u003e | Also consider [`project-keep`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/project-keep-operator)\n|\u003cpre\u003erename source_addr AS src_ip\u003c/pre\u003e | \u003cpre\u003e[project-rename](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectrenameoperator) source_addr = src_ip\u003c/pre\u003e | I haven't figured out how to use wildcards. Also check [this](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/rename-column#rename-columns).\n|\u003cpre\u003esearch OS=\"*win*\"\u003c/pre\u003e| \u003cpre\u003e[where](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/whereoperator) OS contains \"win\"\u003c/pre\u003e | Also consider [`search`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator)\n|\u003cpre\u003ewhere OS=\"Windows 10\"\u003c/pre\u003e| \u003cpre\u003ewhere OS==\"Windows 10\"\u003c/pre\u003e | Case sensitive \n|\u003cpre\u003esearch OS=\"windows 10\"\u003c/pre\u003e| \u003cpre\u003ewhere OS=~\"windows 10\"\u003c/pre\u003e | Case insensitive \n|\u003cpre\u003esearch OS IN (\"windows\", \"linux\")\u003c/pre\u003e| \u003cpre\u003ewhere OS in~ (\"windows\", \"linux\")\u003c/pre\u003e | Case insensitive full-match (implied OR operation)\n|\u003cpre\u003ewhere match(OS, \"\u003cregex\u003e\")\u003c/pre\u003e| \u003cpre\u003ewhere OS matches regex \"\u003cregex\u003e\"\u003c/pre\u003e | Complies with re2 https://github.com/google/re2/wiki/Syntax\n|\u003cpre\u003eeval shake = milk.\"+\".fruit\u003c/pre\u003e| \u003cpre\u003e[extend](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extendoperator) shake = strcat(milk, \"+\", fruit)\u003c/pre\u003e | Many more string operators [here](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators)\n|\u003cpre\u003e\\| makeresults\u003cbr\u003e\\| eval fruit=\"strawberry\"\u003cbr\u003e\\| eval emo=if(\u003cbr\u003e  match(fruit,\"berry\"), \":)\", \":(\"\u003cbr\u003e  )\u003cbr\u003e\\| fields - fruit, _time\u003c/pre\u003e| \u003cpre\u003e[print](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/printoperator) fruit=\"blueberry\", _time=now()\u003cbr\u003e\\| project emo=[iff](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ifffunction)(fruit contains_cs \"berry\",\":)\",\":(\")\u003c/pre\u003e | Using `project` while evaluating a new column/field\n|\u003cpre\u003eeval sum = num1 + num2\u003c/pre\u003e| \u003cpre\u003eextend sum = num1 + num2\u003c/pre\u003e | Also consider understanding [`let`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/letstatement) statement (many other use cases)\n|\u003cpre\u003ebase search for StormEvents\u003cbr\u003e\\| stats count AS c1\u003c/pre\u003e| \u003cpre\u003eStormEvents\u003cbr\u003e\\| summarize c1=[count()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/count-aggfunction)\u003c/pre\u003e| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator. Similar use for distinct counting with [`dcount`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/dcount-aggfunction)\n|\u003cpre\u003ebase search for StormEvents\u003cbr\u003e\\| stats count(eval(len(State)\u003e10)) AS c1\u003c/pre\u003e| \u003cpre\u003eStormEvents\u003cbr\u003e\\| summarize c1=[countif](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countif-aggfunction)(strlen(State)\u003e10)\u003c/pre\u003e| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator\n|\u003cpre\u003ebase search for StormEvents\u003cbr\u003e\\| stats dc(eval(match(state, \"^I\"))) AS c1\u003c/pre\u003e| \u003cpre\u003eStormEvents\u003cbr\u003e\\| summarize c1=[dcountif](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/dcountif-aggfunction)(State, State startswith \"I\")\u003c/pre\u003e| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator\n|\u003cpre\u003ebase search for StormEvents\u003cbr\u003e\\| stats c by State, EventType\u003cbr\u003e\\| sort 5 -num(c)\u003c/pre\u003e| \u003cpre\u003eStormEvents\u003cbr\u003e\\| summarize c=count() by State, EventType\u003cbr\u003e\\| [top](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/topoperator) 5 by c\u003c/pre\u003e| KQL's [`top`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/topoperator) behaves differently (_EventType_ is kept in the output) rather than SPL's transformation [`top`](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Top) (see below)\n|\u003cpre\u003ebase search for StormEvents\u003cbr\u003e\\| top 5 State\u003c/pre\u003e| \u003cpre\u003eStormEvents\u003cbr\u003e\\| summarize c=count() by State\u003cbr\u003e\\| [top-hitters](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tophittersoperator) 5 of State by c\u003c/pre\u003e| A combination of `summarize`, `sort` and `take` is also possible here \n|\u003cpre\u003e\\| [bin](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Bin) _time span=1d\u003cbr\u003e\\| eval DoY=[strftime](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions#Date_and_Time_functions)(_time, \"%j\")\u003c/pre\u003e|[format_datetime](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/format-datetimefunction), [datetime_part](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-partfunction) and summarize's [bin()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/binfunction)|No clear equivalent here, depends on use case\n|[rex](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Rex), [replace](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions#Text_functions)|[parse](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator), [parse-where](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parsewhereoperator)|Fields extraction and string replacement\n| No specific command for [Charts](https://docs.splunk.com/Documentation/Splunk/8.1.0/Viz/Visualizationreference) and [Dashboards](https://docs.splunk.com/Documentation/DashApp/0.8.0/DashApp/examples)| [render](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/renderoperator?pivots=azuredataexplorer) (chart type is a parameter)| Some quick chart and dashboard examples [here](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuredataexplorer#render-display-a-chart-or-table) \u0026 [there](https://docs.microsoft.com/en-us/azure/data-explorer/azure-data-explorer-dashboards)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finodee%2Fspl-to-kql","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finodee%2Fspl-to-kql","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finodee%2Fspl-to-kql/lists"}