You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/migration-splunk-detection-rules.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -128,7 +128,7 @@ Use these samples to compare and map rules from Splunk to Microsoft Sentinel in
128
128
|`eventstats`|Generates summary statistics from fields in your events and saves those statistics in a new field.<br><br>[SPL example](#eventstats-command-spl-example)|Examples:<br>• [join](/kusto/query/join-operator?view=microsoft-sentinel&preserve-view=true)<br>• [make_list](/kusto/query/make-list-aggregation-function?view=microsoft-sentinel&preserve-view=true)<br>• [mv-expand](/kusto/query/mv-expand-operator?view=microsoft-sentinel&preserve-view=true)|[KQL example](#eventstats-command-kql-example)|
129
129
|`streamstats`|Find the cumulative sum of a field.<br><br>SPL example:<br>`... | streamstats sum(bytes) as bytes _ total \| timechart` |[row_cumsum](/kusto/query/row-cumsum-function?view=microsoft-sentinel&preserve-view=true)|`...\| serialize cs=row_cumsum(bytes)`|
130
130
|`anomalydetection`|Find anomalies in the specified field.<br><br>[SPL example](#anomalydetection-command-spl-example)|[series_decompose_anomalies()](/kusto/query/series-decompose-anomalies-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#anomalydetection-command-kql-example)|
131
-
|`where`|Filters search results using `eval` expressions. Used to compare two different fields. |[where](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)|`T | where fruit=="apple"` |
131
+
|`where`|Filters search results using `eval` expressions. Used to compare two diiferent fields. |[where](/kusto/query/where-operator?view=microsoft-sentinel&preserve-view=true)|`T | where fruit=="apple"` |
|`cos(X)`|Calculates the cosine of X. |`n=cos(0)`|[cos()](/kusto/query/cos-function?view=microsoft-sentinel&preserve-view=true)|`cos(X)`|
251
251
|`exact(X)`|Evaluates an expression X using double precision floating point arithmetic. |`exact(3.14*num)`|[`todecimal()`](/kusto/query/todecimal-function?view=microsoft-sentinel&preserve-view=true)|`todecimal(3.14*2)`|
|`if(X,Y,Z)`|If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`. |`if(error==200,`<br> `"OK", "Error")`|[`iif()`](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)|[KQL example](#ifxyz-kql-example)|
254
-
|`isbool(X)`|Returns `TRUE` if `X` is boolean. |`isbool(field)`|• [`iif()`](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|`iif(gettype(X) =="bool","TRUE","FALSE")`|
255
-
|`isint(X)`|Returns `TRUE` if `X` is an integer. |`isint(field)`|• [`iif()`](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isintx-kql-example)|
253
+
|`if(X,Y,Z)`|If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`. |`if(error==200,`<br> `"OK", "Error")`|[`iif()`](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)|[KQL example](#ifxyz-kql-example)|
254
+
|`isbool(X)`|Returns `TRUE` if `X` is boolean. |`isbool(field)`|• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|`iif(gettype(X) =="bool","TRUE","FALSE")`|
255
+
|`isint(X)`|Returns `TRUE` if `X` is an integer. |`isint(field)`|• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isintx-kql-example)|
256
256
|`isnull(X)`|Returns `TRUE` if `X` is null. |`isnull(field)`|[`isnull()`](/kusto/query/isnull-function?view=microsoft-sentinel&preserve-view=true)|`isnull(field)`|
257
-
|`isstr(X)`|Returns `TRUE` if `X` is a string. |`isstr(field)`|• [`iif()`](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isstrx-kql-example)|
257
+
|`isstr(X)`|Returns `TRUE` if `X` is a string. |`isstr(field)`|• [`iif()`](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isstrx-kql-example)|
258
258
|`len(X)`|This function returns the character length of a string `X`. |`len(field)`|[`strlen()`](/kusto/query/strlen-function?view=microsoft-sentinel&preserve-view=true)|`strlen(field)`|
259
259
|`like(X,"y")`|Returns `TRUE` if and only if `X` is like the SQLite pattern in `Y`. |`like(field, "addr%")`|• [`has`](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)<br>• [`contains`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [`startswith`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [matches regex](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)|[KQL example](#likexy-example)|
260
260
|`log(X,Y)`|Returns the log of the first argument `X` using the second argument `Y` as the base. The default value of `Y` is `10`. |`log(number,2)`|• [`log`](/kusto/query/log-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log2`](/kusto/query/log2-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log10`](/kusto/query/log10-function?view=microsoft-sentinel&preserve-view=true)|`log(X)`<br><br>`log2(X)`<br><br>`log10(X)`|
261
261
|`lower(X)`|Returns the lowercase value of `X`. |`lower(username)`|[tolower](/kusto/query/tolower-function?view=microsoft-sentinel&preserve-view=true)|`tolower(username)`|
262
-
|`ltrim(X,Y)`|Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs. |`ltrim(" ZZZabcZZ ", " Z")`|[`trim_start()`](/kusto/query/trim-start-function?view=microsoft-fabric&preserve-view=true)|`trim_start(“ ZZZabcZZ”,” ZZZ”)`|
262
+
|`ltrim(X,Y)`|Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs. |`ltrim(" ZZZabcZZ ", " Z")`|[`trim_start()`](/kusto/query/trim-start-function?view=microsoft-sentinelc&preserve-view=true)|`trim_start(“ ZZZabcZZ”,” ZZZ”)`|
263
263
|`match(X,Y)`|Returns if X matches the regex pattern Y. |`match(field, "^\d{1,3}.\d$")`|[`matches regex`](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)|`… | where field matches regex @"^\d{1,3}.\d$")` |
264
264
|`max(X,…)`|Returns the maximum value in a column. |`max(delay, mydelay)`|• [`max()`](/kusto/query/max-aggregation-function?view=microsoft-sentinel&preserve-view=true)<br>• [`arg_max()`](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`… | summarize max(field)` |
265
265
|`md5(X)`|Returns the MD5 hash of a string value `X`. |`md5(field)`|[`hash_md5`](/kusto/query/hash-md5-function?view=microsoft-sentinel&preserve-view=true)|`hash_md5("X")`|
|`mvjoin(X,Y)`|Given a multi-valued field `X` and string delimiter `Y`, and joins the individual values of `X` using `Y`. |`mvjoin(address, ";")`|[`strcat_array`](/kusto/query/strcat-array-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#mvjoinxy-kql-example)|
271
271
|`now()`|Returns the current time, represented in Unix time. |`now()`|[`now()`](/kusto/query/now-function?view=microsoft-sentinel&preserve-view=true)|`now()`<br><br>`now(-2d)`|
272
272
|`null()` |Doesn't accept arguments and returns `NULL`. |`null()` |[null](/kusto/query/scalar-data-types/null-values) |`null`
273
-
|`nullif(X,Y)`|Includes two arguments, `X` and `Y`, and returns `X` if the arguments are different. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`|[`iif`](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)|`iif(fieldA==fieldB, null, fieldA)`|
273
+
|`nullif(X,Y)`|Includes two arguments, `X` and `Y`, and returns `X` if the arguments are diiferent. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`|[`iif`](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)|`iif(fieldA==fieldB, null, fieldA)`|
274
274
|`random()`|Returns a pseudo-random number between `0` to `2147483647`. |`random()`|[`rand()`](/kusto/query/rand-function?view=microsoft-sentinel&preserve-view=true)|`rand()`|
275
275
|`relative_ time(X,Y)`|Given an epoch time `X` and relative time specifier `Y`, returns the epoch time value of `Y` applied to `X`. |`relative_time(now(),"-1d@d")`|[unix time](/kusto/query/datetime-timespan-arithmetic?view=microsoft-sentinel&preserve-view=true#example-unix-time)|[KQL example](#relative-timexy-kql-example)|
276
-
|`replace(X,Y,Z)`|Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`|[`replace()`](/kusto/query/replace-string-function?view=microsoft-fabric&preserve-view=true)|[KQL example](#replacexyz-kql-example)|
276
+
|`replace(X,Y,Z)`|Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`|[`replace()`](/kusto/query/replace-string-function?view=microsoft-sentinelc&preserve-view=true)|[KQL example](#replacexyz-kql-example)|
277
277
|`round(X,Y)`|Returns `X` rounded to the number of decimal places specified by `Y`. The default is to round to an integer. |`round(3.5)`|[`round`](/kusto/query/round-function?view=microsoft-sentinel&preserve-view=true)|`round(3.5)`|
278
278
|`rtrim(X,Y)`|Returns `X` with the characters of `Y` trimmed from the right side. If `Y` isn't specified, spaces and tabs are trimmed. |`rtrim(" ZZZZabcZZ ", " Z")`|[`trim_end()`](/kusto/query/trim-end-function?view=microsoft-sentinel&preserve-view=true)|`trim_end(@"[ Z]+",A)`|
279
-
|`searchmatch(X)`|Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")`|[iif()](/kusto/query/iff-function?view=microsoft-fabric&preserve-view=true)|`iif(field has "X","Yes","No")`|
279
+
|`searchmatch(X)`|Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")`|[iif()](/kusto/query/iif-function?view=microsoft-sentinelc&preserve-view=true)|`iif(field has "X","Yes","No")`|
280
280
|`split(X,"Y")`|Returns `X` as a multi-valued field, split by delimiter `Y`. |`split(address, ";")`|[`split()`](/kusto/query/split-function?view=microsoft-sentinel&preserve-view=true)|`split(address, ";")`|
281
281
|`sqrt(X)`|Returns the square root of `X`. |`sqrt(9)`|[`sqrt()`](/kusto/query/sqrt-function?view=microsoft-sentinel&preserve-view=true)|`sqrt(9)`|
282
282
|`strftime(X,Y)`|Returns the epoch time value `X` rendered using the format specified by `Y`. |`strftime(_time, "%H:%M")`|[`format_datetime()`](/kusto/query/format-datetime-function?view=microsoft-sentinel&preserve-view=true)|`format_datetime(time,'HH:mm')`|
|`min(X)`|Returns the minimum value of the field `X`. If the values of `X` are non-numeric, the minimum value is found via alphabetical ordering. |[min()](/kusto/query/min-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`…\| summarize min(X)`|
413
413
|`mode(X)`|Returns the most frequent value of the field `X`. |[top-hitters()](/kusto/query/top-hitters-operator?view=microsoft-sentinel&preserve-view=true)|`…\| top-hitters 1 of Y by X`|
414
414
|`perc(Y)`|Returns the percentile `X` value of the field `Y`. For example, `perc5(total)` returns the fifth percentile value of a field `total`. |[percentile()](/kusto/query/percentiles-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`…\| summarize percentile(Y, 5)`|
415
-
|`range(X)`|Returns the difference between the maximum and minimum values of the field `X`. |[range()](/kusto/query/range-function?view=microsoft-sentinel&preserve-view=true)|`range(1, 3)`|
415
+
|`range(X)`|Returns the diiference between the maximum and minimum values of the field `X`. |[range()](/kusto/query/range-function?view=microsoft-sentinel&preserve-view=true)|`range(1, 3)`|
416
416
|`stdev(X)`|Returns the sample standard deviation of the field `X`. |[stdev](/kusto/query/stdev-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`stdev()`|
417
417
|`stdevp(X)`|Returns the population standard deviation of the field `X`. |[stdevp()](/kusto/query/stdevp-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`stdevp()`|
418
418
|`sum(X)`|Returns the sum of the values of the field `X`. |[sum()](/kusto/query/sum-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`sum(X)`|
0 commit comments