https://github.com/inodee/spl-to-kql

The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries.
https://github.com/inodee/spl-to-kql

Last synced: over 1 year ago
JSON representation

The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries.

• Host: GitHub
• URL: https://github.com/inodee/spl-to-kql
• Owner: inodee
• Created: 2020-11-05T11:11:24.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2020-11-07T18:11:01.000Z (over 5 years ago)
• Last Synced: 2025-01-26T20:46:48.771Z (over 1 year ago)
• Size: 57.6 KB
• Stars: 39
• Watchers: 4
• Forks: 6
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Kusto for Splunkers: Why this?

The idea is to make it easier for Splunk users to leverage KQL (migrations, hybrid environments, consultants). The way the data (stream) is _manipulated_ is of course different, the goal here is to get a head start before diving into formal KQL documentation.

Please note I've only played for a few hours before writing this :hatching_chick: therefore feedback and suggestions are more than welcome!

If you are looking for _code translators_ or something similar, consider this project (never used though): https://uncoder.io

## How to get started?

For me the easiest was to get access to [Azure's Data Explorer](https://dataexplorer.azure.com) and start playing from there as it provides multiple datasets for interactiing and even allowing charts/dataviz rendering.

You can also start from [MS Tutorials](https://docs.microsoft.com/en-us/azure/data-explorer/write-queries) on how to write KQL queries.

### KQL Doc Reference

[Kusto Query Language (KQL) reference doc](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/)

Also consider this nice cheatsheet doc from Markus Bakker: https://github.com/marcusbakker/KQL/blob/master/kql_cheat_sheet_v01.pdf

# SPL-to-KQL Cheatsheet

SPL Quick Reference doc can be found [here](https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/ListOfSearchCommands).

Notes:

* In SPL we usually refer to _fields_ instead of _columns_. In KQL docs there are many references similar to SQL lang.

* In SPL, every _command_ starts with a pipe (|). Likewise, in KQL, each filter prefixed by the pipe is an instance of an [operator](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/queries).

* Aforementioned pipe char (SPL's command prefix) is suppressed from the table below for simplicity, except for multi-line examples.

* Of course, some commands are better compared from a "use case" perspective, therefore no 1-to-1 mapping possible as each language has its particularities.

| SPL | KQL | Remarks |

| --- | --- | --- |

|
head 
 | 
[take](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/takeoperator) 
 | `limit` is a synonym. Consider sorting for consitency (SPL's head/tail).

|
table 
 | 
[project](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectoperator) 
 | Multiple columns are separated by comma (,). More `project` uses below.

|
fields - 
 | 
[project-away](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator) 
 | Also consider [`project-keep`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/project-keep-operator)

|
rename source_addr AS src_ip
 | 
[project-rename](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/projectrenameoperator) source_addr = src_ip
 | I haven't figured out how to use wildcards. Also check [this](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/management/rename-column#rename-columns).

|
search OS="*win*"
| 
[where](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/whereoperator) OS contains "win"
 | Also consider [`search`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator)

|
where OS="Windows 10"
| 
where OS=="Windows 10"
 | Case sensitive 

|
search OS="windows 10"
| 
where OS=~"windows 10"
 | Case insensitive 

|
search OS IN ("windows", "linux")
| 
where OS in~ ("windows", "linux")
 | Case insensitive full-match (implied OR operation)

|
where match(OS, "")
| 
where OS matches regex ""
 | Complies with re2 https://github.com/google/re2/wiki/Syntax

|
eval shake = milk."+".fruit
| 
[extend](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extendoperator) shake = strcat(milk, "+", fruit)
 | Many more string operators [here](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators)

|
\| makeresults
\| eval fruit="strawberry"
\| eval emo=if(
  match(fruit,"berry"), ":)", ":("
  )
\| fields - fruit, _time
| 
[print](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/printoperator) fruit="blueberry", _time=now()
\| project emo=[iff](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/ifffunction)(fruit contains_cs "berry",":)",":(")
 | Using `project` while evaluating a new column/field

|
eval sum = num1 + num2
| 
extend sum = num1 + num2
 | Also consider understanding [`let`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/letstatement) statement (many other use cases)

|
base search for StormEvents
\| stats count AS c1
| 
StormEvents
\| summarize c1=[count()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/count-aggfunction)
| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator. Similar use for distinct counting with [`dcount`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/dcount-aggfunction)

|
base search for StormEvents
\| stats count(eval(len(State)>10)) AS c1
| 
StormEvents
\| summarize c1=[countif](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countif-aggfunction)(strlen(State)>10)
| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator

|
base search for StormEvents
\| stats dc(eval(match(state, "^I"))) AS c1
| 
StormEvents
\| summarize c1=[dcountif](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/dcountif-aggfunction)(State, State startswith "I")
| Also consider [`count`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/countoperator) operator

|
base search for StormEvents
\| stats c by State, EventType
\| sort 5 -num(c)
| 
StormEvents
\| summarize c=count() by State, EventType
\| [top](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/topoperator) 5 by c
| KQL's [`top`](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/topoperator) behaves differently (_EventType_ is kept in the output) rather than SPL's transformation [`top`](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Top) (see below)

|
base search for StormEvents
\| top 5 State
| 
StormEvents
\| summarize c=count() by State
\| [top-hitters](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tophittersoperator) 5 of State by c
| A combination of `summarize`, `sort` and `take` is also possible here 

|
\| [bin](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Bin) _time span=1d
\| eval DoY=[strftime](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions#Date_and_Time_functions)(_time, "%j")
|[format_datetime](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/format-datetimefunction), [datetime_part](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-partfunction) and summarize's [bin()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/binfunction)|No clear equivalent here, depends on use case

|[rex](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Rex), [replace](https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions#Text_functions)|[parse](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator), [parse-where](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parsewhereoperator)|Fields extraction and string replacement

| No specific command for [Charts](https://docs.splunk.com/Documentation/Splunk/8.1.0/Viz/Visualizationreference) and [Dashboards](https://docs.splunk.com/Documentation/DashApp/0.8.0/DashApp/examples)| [render](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/renderoperator?pivots=azuredataexplorer) (chart type is a parameter)| Some quick chart and dashboard examples [here](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuredataexplorer#render-display-a-chart-or-table) & [there](https://docs.microsoft.com/en-us/azure/data-explorer/azure-data-explorer-dashboards)