question

95505794 avatar image
0 Votes"
95505794 asked AlistairRoss-msft answered

Alternative of Splunk query method in KQL method

while making the workbook using KQL with reference of Splunk query language, I have encountered some doubt regarding conversion of spl (Splunk query language) methods to KQL as I have not found some particular method of SPL for KQL.  

Some of them are

 - iplocation
 - lookup  
 - values()

so can anyone give exact conversion of Splunk methods for KQL.


Also while exploring the option of lookup I found that ddslookup (or other file) which is the csv file in the Splunk are used in some of the operation in the Splunk query so how can I do it in workbook using KQL.

for example : lookup abc ip AS def

azure-monitormicrosoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlistairRoss-msft avatar image
1 Vote"
AlistairRoss-msft answered PreetParikh-5702 commented

Hello @95505794

  • ipv4_lookup plugin is the nearest equivalent to iplocation, though there isn't a built in table for IP locations, giving you the flexibility to choose the example table or from another provider. Also note, that some logs, such as Azure AD Sign in logs are already enriched with IP location information. Also IP addresses mapped to entities and Threat Intelligence IP's are also enriched with geolocation data.

  • There is no KQL equivalent to lookup as KQL is a read only language within Log Analytics and therefore doesn't add any new data to the environment. To perform something similar, you would need to ingest data to the environment and perform a join. Ways that you can do this include

  • Watchlists

  • Threat Intelligence

  • Playbook or equivalent method for ingesting data to log analytics

  • externaldata() operator

  • distinct is the operator I believe you want for values()


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey, @AlistairRoss-msft
Can you please tell me what is the alternative of treemap_app.treemap(From Splunk dashboard) in azure workbook?

0 Votes 0 ·
AlistairRoss-msft avatar image
1 Vote"
AlistairRoss-msft answered

Hi @PreetParikh-5702

There isn't an equivalent in workbooks for Splunk treemap, though this can be achieve easily within PowerBi (desktop version is free). This would be a great suggestion and I would recommend you raise it here https://feedback.azure.com/d365community/forum/3887dc70-2025-ec11-b6e6-000d3a4f09d0

May I ask that you mark the thread as answered, if I have answered the original question successfully and any additional questions get raised in a separate thread to ensure that other people can find the answers to the questions you ask easily.

kind regards

Alistair


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.