Splunk Regex Cheat Sheet

Splunk Regex Cheat Sheet

Splunk Regex Cheat Sheet Excel
Splunk Regex Cheat Sheet Download
Splunk Regex Cheat Sheet Free
Splunk Regex Cheat Sheet  Splunk Regex Examples - Mindmajix Free mindmajix.com. This character is used to escape any special character that may be used in the.
Matches any character except. If modified by the Singleline option, a period character matches any character. For more information, see Regular Expression Options. aeiou Matches any single character included in the specified set of characters. ^aeiou Matches any single character not in the specified set of characters.
EVENTBREAKER = regular expression for event breaks. Useful Regular Expressions Metadata Rewrites (to use, add TRANSFORMS- to a sourcetype stanza in props.conf, then add rewrite to transforms.conf). Splunk® Data Onboarding Cheat Sheet (v2.5) v2.5.2. Review The Data.
-->This article is intended to assist users who are familiar with Splunk learn the Kusto Query Language to write log queries with Kusto. Direct comparisons are made between the two to highlight key differences and similarities, so you can build on your existing knowledge.
Structure and conceptsThe following table compares concepts and data structures between Splunk and Kusto logs:
ConceptSplunkKustoComment
deployment unitclusterclusterKusto allows arbitrary cross-cluster queries. Splunk does not.
data cachesbucketscaching and retention policiesControls the period and caching level for the data. This setting directly affects the performance of queries and the cost of the deployment.
logical partition of dataindexdatabaseAllows logical separation of the data. Both implementations allow unions and joining across these partitions.
structured event metadataN/AtableSplunk doesn't expose the concept of event metadata to the search language. Kusto logs have the concept of a table, which has columns. Each event instance is mapped to a row.
data recordeventrowTerminology change only.
data record attributefieldcolumnIn Kusto, this setting is predefined as part of the table structure. In Splunk, each event has its own set of fields.
typesdatatypedatatypeKusto data types are more explicit because they're set on the columns. Both have the ability to work dynamically with data types and roughly equivalent set of datatypes, including JSON support.
query and searchsearchqueryConcepts essentially are the same between Kusto and Splunk.
event ingestion timesystem timeingestion_time()In Splunk, each event gets a system timestamp of the time the event was indexed. In Kusto, you can define a policy called ingestion_time that exposes a system column that can be referenced through the ingestion_time() function.
FunctionsThe following table specifies functions in Kusto that are equivalent to Splunk functions.

Concept	Splunk	Kusto	Comment
deployment unit	cluster	cluster	Kusto allows arbitrary cross-cluster queries. Splunk does not.
data caches	buckets	caching and retention policies	Controls the period and caching level for the data. This setting directly affects the performance of queries and the cost of the deployment.
logical partition of data	index	database	Allows logical separation of the data. Both implementations allow unions and joining across these partitions.
structured event metadata	N/A	table	Splunk doesn't expose the concept of event metadata to the search language. Kusto logs have the concept of a table, which has columns. Each event instance is mapped to a row.
data record	event	row	Terminology change only.
data record attribute	field	column	In Kusto, this setting is predefined as part of the table structure. In Splunk, each event has its own set of fields.
types	datatype	datatype	Kusto data types are more explicit because they're set on the columns. Both have the ability to work dynamically with data types and roughly equivalent set of datatypes, including JSON support.
query and search	search	query	Concepts essentially are the same between Kusto and Splunk.
event ingestion time	system time	`ingestion_time()`	In Splunk, each event gets a system timestamp of the time the event was indexed. In Kusto, you can define a policy called ingestion_time that exposes a system column that can be referenced through the ingestion_time() function.

SplunkKustoComment
strcatstrcat()(1)
splitsplit()(1)
ififf()(1)
tonumbertodouble()
tolong()
toint()(1)
upper
lowertoupper()
tolower()(1)
replacereplace()(1)
 Also note that although replace() takes three parameters in both products, the parameters are different.
substrsubstring()(1)
Also note that Splunk uses one-based indices. Kusto notes zero-based indices.
tolowertolower()(1)
touppertoupper()(1)
matchmatches regex(2)
regexmatches regexIn Splunk, regex is an operator. In Kusto, it's a relational operator.
searchmatchIn Splunk, searchmatch allows searching for the exact string.
randomrand()
rand(n)Splunk's function returns a number between zero to 231-1. Kusto's returns a number between 0.0 and 1.0, or if a parameter is provided, between 0 and n-1.
nownow()(1)
relative_timetotimespan()(1)
In Kusto, Splunk's equivalent of relative_time(datetimeVal, offsetVal) is datetimeVal + totimespan(offsetVal).
For example, search | eval n=relative_time(now(), '-1d@d') becomes .. | extend myTime = now() - totimespan('1d').
(1) In Splunk, the function is invoked by using the eval operator. In Kusto, it's used as part of extend or project.
(2) In Splunk, the function is invoked by using the eval operator. In Kusto, it can be used with the where operator.
OperatorsThe following sections give examples of how to use different operators in Splunk and Kusto.
Note
In the following examples, the Splunk field rule maps to a table in Kusto, and Splunk's default timestamp maps to the Logs Analytics ingestion_time() column.
Search

Splunk	Kusto	Comment
`strcat`	`strcat()`	(1)
`split`	`split()`	(1)
`if`	`iff()`	(1)
`tonumber`	`todouble()` `tolong()` `toint()`	(1)
`upper` `lower`	`toupper()` `tolower()`	(1)
`replace`	`replace()`	(1) Also note that although `replace()` takes three parameters in both products, the parameters are different.
`substr`	`substring()`	(1) Also note that Splunk uses one-based indices. Kusto notes zero-based indices.
`tolower`	`tolower()`	(1)
`toupper`	`toupper()`	(1)
`match`	`matches regex`	(2)
`regex`	`matches regex`	In Splunk, `regex` is an operator. In Kusto, it's a relational operator.
`searchmatch`	In Splunk, `searchmatch` allows searching for the exact string.
`random`	rand() rand(n)	Splunk's function returns a number between zero to 2³¹-1. Kusto's returns a number between 0.0 and 1.0, or if a parameter is provided, between 0 and n-1.
`now`	`now()`	(1)
`relative_time`	`totimespan()`	(1) In Kusto, Splunk's equivalent of `relative_time(datetimeVal, offsetVal)` is `datetimeVal + totimespan(offsetVal)`. For example, `search` \| `eval n=relative_time(now(), '-1d@d')` becomes `..` \| `extend myTime = now() - totimespan('1d')`.

In Splunk, you can omit the search keyword and specify an unquoted string. In Kusto, you must start each query with find, an unquoted string is a column name, and the lookup value must be a quoted string.
ProductOperatorExample
Splunksearchsearch Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' earliest=-24h
Kustofindfind Session.Id'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time()> ago(24h)
FilterKusto log queries start from a tabular result set in which filter is applied. In Splunk, filtering is the default operation on the current index. Openssh ubuntu 20. You also can use the where operator in Splunk, but we don't recommend it.
ProductOperatorExample
SplunksearchEvent.Rule='330009.2' Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' _indextime>-24h
KustowhereOffice_Hub_OHubBGTaskError
| where Session_Id 'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time() > ago(24h)
Get n events or rows for inspectionKusto log queries also support take as an alias to limit. In Splunk, if the results are ordered, head returns the first n results. In Kusto, limit isn't ordered, but it returns the first n rows that are found.
ProductOperatorExample
SplunkheadEvent.Rule=330009.2
| head 100
KustolimitOffice_Hub_OHubBGTaskError
| limit 100
Get the first n events or rows ordered by a field or columnFor the bottom results, in Splunk, you use tail. In Kusto, you can specify ordering direction by using asc.
ProductOperatorExample
SplunkheadEvent.Rule='330009.2'
| sort Event.Sequence
| head 20
KustotopOffice_Hub_OHubBGTaskError
| top 20 by Event_Sequence
Extend the result set with new fields or columnsSplunk has an eval function, but it's not comparable to the eval operator in Kusto. Both the eval operator in Splunk and the extend operator in Kusto support only scalar functions and arithmetic operators.
ProductOperatorExample
SplunkevalEvent.Rule=330009.2
| eval state= if(Data.Exception = '0', 'success', 'error')
KustoextendOffice_Hub_OHubBGTaskError
| extend state = iif(Data_Exception 0,'success' ,'error')
RenameKusto uses the project-rename operator to rename a field. In the project-rename operator, a query can take advantage of any indexes that are prebuilt for a field. Splunk has a rename operator that does the same.
ProductOperatorExample
SplunkrenameEvent.Rule=330009.2
| rename Date.Exception as execption
Kustoproject-renameOffice_Hub_OHubBGTaskError
| project-rename exception = Date_Exception
Format results and projectionSplunk doesn't appear to have an operator that's similar to project-away. You can use the UI to filter out fields.
It is Fernet-Branca, and it is the Bartender's Handshake. Just as a knowledge of and appreciation for Fernet-Branca will allow industry outsiders to step, honorarily, behind the scenes of this age-old profession, this blog aims to allow you, the craft cocktail enthusiast or aspiring bartender, to gain insight into how the pros make great drinks. A small, neighborhood cocktail bar. Serving craft cocktails, unique wines, and beer alongside homemade bites. Bartenders handshake. The most famous 'bartender's handshake' is, by now, pretty well known: Fernet-Branca, the mid-19th-century Italian liqueur. The Bartender's Handshake made for a super fun date night even with a tiny girl in hand. She tried the Karate Kid with ginger, carrot, ancho chili, & mint and had a blast. The waitstaff were extremely kind to both us and her and she loved the food too.
ProductOperatorExample
SplunktableEvent.Rule=330009.2
| table rule, state
Kustoproject
project-awayOffice_Hub_OHubBGTaskError
| project exception, state
AggregationSee the list of aggregations functions that are available.
ProductOperatorExample
Splunkstatssearch (Rule=120502.*)
| stats count by OSEnv, Audience
KustosummarizeOffice_Hub_OHubBGTaskError
| summarize count() by App_Platform, Release_Audience
Joinjoin in Splunk has substantial limitations. The subquery has a limit of 10,000 results (set in the deployment configuration file), and a limited number of join flavors are available.

Product	Operator	Example
Splunk	`search`	`search Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' earliest=-24h`
Kusto	`find`	`find Session.Id'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time()> ago(24h)`

Product	Operator	Example
Splunk	`search`	`Event.Rule='330009.2' Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' _indextime>-24h`
Kusto	`where`	`Office_Hub_OHubBGTaskError` \| `where Session_Id 'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time() > ago(24h)`

Product	Operator	Example
Splunk	`head`	`Event.Rule=330009.2` \| `head 100`
Kusto	`limit`	`Office_Hub_OHubBGTaskError` \| `limit 100`

Product	Operator	Example
Splunk	`head`	`Event.Rule='330009.2'` \| `sort Event.Sequence` \| `head 20`
Kusto	`top`	`Office_Hub_OHubBGTaskError` \| `top 20 by Event_Sequence`

Product	Operator	Example
Splunk	`eval`	`Event.Rule=330009.2` \| `eval state= if(Data.Exception = '0', 'success', 'error')`
Kusto	`extend`	`Office_Hub_OHubBGTaskError` \| `extend state = iif(Data_Exception 0,'success' ,'error')`

Product	Operator	Example
Splunk	`rename`	`Event.Rule=330009.2` \| `rename Date.Exception as execption`
Kusto	`project-rename`	`Office_Hub_OHubBGTaskError` \| `project-rename exception = Date_Exception`

Product	Operator	Example
Splunk	`table`	`Event.Rule=330009.2` \| `table rule, state`
Kusto	`project` `project-away`	`Office_Hub_OHubBGTaskError` \| `project exception, state`

Product	Operator	Example
Splunk	`stats`	`search (Rule=120502.*)` \| `stats count by OSEnv, Audience`
Kusto	`summarize`	`Office_Hub_OHubBGTaskError` \| `summarize count() by App_Platform, Release_Audience`

ProductOperatorExample
SplunkjoinEvent.Rule=120103* | stats by Client.Id, Data.Alias
| join Client.Id max=0 [search earliest=-24h Event.Rule='150310.0' Data.Hresult=-2147221040]
Kustojoincluster('OAriaPPT').database('Office PowerPoint').Office_PowerPoint_PPT_Exceptions
| where Data_Hresult -2147221040
| join kind = inner (Office_System_SystemHealthMetadata
| summarize by Client_Id, Data_Alias)on Client_Id
SortIn Splunk, to sort in ascending order, you must use the reverse operator. Kusto also supports defining where to put nulls, either at the beginning or at the end.
ProductOperatorExample
SplunksortEvent.Rule=120103
| sort Data.Hresult
| reverse
Kustoorder byOffice_Hub_OHubBGTaskError
| order by Data_Hresult, desc
Splunk Regex Cheat Sheet ExcelMultivalue expandSplunk Regex Cheat Sheet Download

Product	Operator	Example
Splunk	`join`	`Event.Rule=120103* \| stats by Client.Id, Data.Alias` \| `join Client.Id max=0 [search earliest=-24h Event.Rule='150310.0' Data.Hresult=-2147221040]`
Kusto	`join`	`cluster('OAriaPPT').database('Office PowerPoint').Office_PowerPoint_PPT_Exceptions` \| `where Data_Hresult -2147221040` \| `join kind = inner (Office_System_SystemHealthMetadata` \| `summarize by Client_Id, Data_Alias)on Client_Id`

Product	Operator	Example
Splunk	`sort`	`Event.Rule=120103` \| `sort Data.Hresult` \| `reverse`
Kusto	`order by`	`Office_Hub_OHubBGTaskError` \| `order by Data_Hresult, desc`

SplunkKustoComment
strcatstrcat()(1)
splitsplit()(1)
ififf()(1)
tonumbertodouble()
tolong()
toint()(1)
upper
lowertoupper()
tolower()(1)
replacereplace()(1)
 Also note that although replace() takes three parameters in both products, the parameters are different.
substrsubstring()(1)
Also note that Splunk uses one-based indices. Kusto notes zero-based indices.
tolowertolower()(1)
touppertoupper()(1)
matchmatches regex(2)
regexmatches regexIn Splunk, regex is an operator. In Kusto, it's a relational operator.
searchmatchIn Splunk, searchmatch allows searching for the exact string.
randomrand()
rand(n)Splunk's function returns a number between zero to 231-1. Kusto's returns a number between 0.0 and 1.0, or if a parameter is provided, between 0 and n-1.
nownow()(1)
relative_timetotimespan()(1)
In Kusto, Splunk's equivalent of relative_time(datetimeVal, offsetVal) is datetimeVal + totimespan(offsetVal).
For example, search | eval n=relative_time(now(), '-1d@d') becomes .. | extend myTime = now() - totimespan('1d').
(1) In Splunk, the function is invoked by using the eval operator. In Kusto, it's used as part of extend or project.
(2) In Splunk, the function is invoked by using the eval operator. In Kusto, it can be used with the where operator.
OperatorsThe following sections give examples of how to use different operators in Splunk and Kusto.
Note
In the following examples, the Splunk field rule maps to a table in Kusto, and Splunk's default timestamp maps to the Logs Analytics ingestion_time() column.
SearchIn Splunk, you can omit the search keyword and specify an unquoted string. In Kusto, you must start each query with find, an unquoted string is a column name, and the lookup value must be a quoted string.
ProductOperatorExample
Splunksearchsearch Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' earliest=-24h
Kustofindfind Session.Id'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time()> ago(24h)
FilterKusto log queries start from a tabular result set in which filter is applied. In Splunk, filtering is the default operation on the current index. Openssh ubuntu 20. You also can use the where operator in Splunk, but we don't recommend it.
ProductOperatorExample
SplunksearchEvent.Rule='330009.2' Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' _indextime>-24h
KustowhereOffice_Hub_OHubBGTaskError
| where Session_Id 'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time() > ago(24h)
Get n events or rows for inspectionKusto log queries also support take as an alias to limit. In Splunk, if the results are ordered, head returns the first n results. In Kusto, limit isn't ordered, but it returns the first n rows that are found.
ProductOperatorExample
SplunkheadEvent.Rule=330009.2
| head 100
KustolimitOffice_Hub_OHubBGTaskError
| limit 100
Get the first n events or rows ordered by a field or columnFor the bottom results, in Splunk, you use tail. In Kusto, you can specify ordering direction by using asc.
ProductOperatorExample
SplunkheadEvent.Rule='330009.2'
| sort Event.Sequence
| head 20
KustotopOffice_Hub_OHubBGTaskError
| top 20 by Event_Sequence
Extend the result set with new fields or columnsSplunk has an eval function, but it's not comparable to the eval operator in Kusto. Both the eval operator in Splunk and the extend operator in Kusto support only scalar functions and arithmetic operators.
ProductOperatorExample
SplunkevalEvent.Rule=330009.2
| eval state= if(Data.Exception = '0', 'success', 'error')
KustoextendOffice_Hub_OHubBGTaskError
| extend state = iif(Data_Exception 0,'success' ,'error')
RenameKusto uses the project-rename operator to rename a field. In the project-rename operator, a query can take advantage of any indexes that are prebuilt for a field. Splunk has a rename operator that does the same.
ProductOperatorExample
SplunkrenameEvent.Rule=330009.2
| rename Date.Exception as execption
Kustoproject-renameOffice_Hub_OHubBGTaskError
| project-rename exception = Date_Exception
Format results and projectionSplunk doesn't appear to have an operator that's similar to project-away. You can use the UI to filter out fields.
It is Fernet-Branca, and it is the Bartender's Handshake. Just as a knowledge of and appreciation for Fernet-Branca will allow industry outsiders to step, honorarily, behind the scenes of this age-old profession, this blog aims to allow you, the craft cocktail enthusiast or aspiring bartender, to gain insight into how the pros make great drinks. A small, neighborhood cocktail bar. Serving craft cocktails, unique wines, and beer alongside homemade bites. Bartenders handshake. The most famous 'bartender's handshake' is, by now, pretty well known: Fernet-Branca, the mid-19th-century Italian liqueur. The Bartender's Handshake made for a super fun date night even with a tiny girl in hand. She tried the Karate Kid with ginger, carrot, ancho chili, & mint and had a blast. The waitstaff were extremely kind to both us and her and she loved the food too.
ProductOperatorExample
SplunktableEvent.Rule=330009.2
| table rule, state
Kustoproject
project-awayOffice_Hub_OHubBGTaskError
| project exception, state
AggregationSee the list of aggregations functions that are available.
ProductOperatorExample
Splunkstatssearch (Rule=120502.*)
| stats count by OSEnv, Audience
KustosummarizeOffice_Hub_OHubBGTaskError
| summarize count() by App_Platform, Release_Audience
Joinjoin in Splunk has substantial limitations. The subquery has a limit of 10,000 results (set in the deployment configuration file), and a limited number of join flavors are available.
ProductOperatorExample
SplunkjoinEvent.Rule=120103* | stats by Client.Id, Data.Alias
| join Client.Id max=0 [search earliest=-24h Event.Rule='150310.0' Data.Hresult=-2147221040]
Kustojoincluster('OAriaPPT').database('Office PowerPoint').Office_PowerPoint_PPT_Exceptions
| where Data_Hresult -2147221040
| join kind = inner (Office_System_SystemHealthMetadata
| summarize by Client_Id, Data_Alias)on Client_Id
SortIn Splunk, to sort in ascending order, you must use the reverse operator. Kusto also supports defining where to put nulls, either at the beginning or at the end.
ProductOperatorExample
SplunksortEvent.Rule=120103
| sort Data.Hresult
| reverse
Kustoorder byOffice_Hub_OHubBGTaskError
| order by Data_Hresult, desc
Splunk Regex Cheat Sheet ExcelMultivalue expandSplunk Regex Cheat Sheet DownloadThe multivalue expand operator is similar in both Splunk and Kusto.
Splunk Regex Cheat Sheet FreeProductOperatorExample
Splunkmvexpandmvexpand solutions
Kustomv-expandmv-expand solutions
Result facets, interesting fieldsWebex exe file download. In Log Analytics in the Azure portal, only the first column is exposed. All columns are available through the API.
ProductOperatorExample
SplunkfieldsEvent.Rule=330009.2
| fields App.Version, App.Platform
KustofacetsOffice_Excel_BI_PivotTableCreate
| facet by App_Branch, App_Version
DeduplicateIn Kusto, you can use summarize arg_min() to reverse the order of which record is chosen.
ProductOperatorExample
SplunkdedupEvent.Rule=330009.2
| dedup device_id sortby -batterylife
Kustosummarize arg_max()Office_Excel_BI_PivotTableCreate
| summarize arg_max(batterylife, *) by device_id
Next stepsWalk through a tutorial on the Kusto Query Language.

Product	Operator	Example
Splunk	`mvexpand`	`mvexpand solutions`
Kusto	`mv-expand`	`mv-expand solutions`

Product	Operator	Example
Splunk	`fields`	`Event.Rule=330009.2` \| `fields App.Version, App.Platform`
Kusto	`facets`	`Office_Excel_BI_PivotTableCreate` \| `facet by App_Branch, App_Version`

Product	Operator	Example
Splunk	`dedup`	`Event.Rule=330009.2` \| `dedup device_id sortby -batterylife`
Kusto	`summarize arg_max()`	`Office_Excel_BI_PivotTableCreate` \| `summarize arg_max(batterylife, *) by device_id`