-->
This article is intended to assist users who are familiar with Splunk to learn the Kusto query language to write log queries in Azure Monitor. Direct comparisons are made between the two to understand key differences and also similarities where you can leverage your existing knowledge.
Structure and concepts
The following table compares concepts and data structures between Splunk and Azure Monitor logs.
The purpose of this add-on is to add additional value and sorting to cmdReporter's macOS security, audit, and operational logs. This is done by making the logs CIM compliant, adding tagging for Enterprise Security data models, and other knowledge objects to make searching and visualizing this data easy. This course teaches you how to search and navigate in Splunk, use fields, get statistics from your data, create reports, dashboards, lookups, and alerts. Scenario-based examples and hands-on challenges will enable you to create robust searches, reports, and charts. It will also introduce you to Splunk's datasets features and Pivot interface. Jan 03, 2020 Splunk is a search engine for collecting and analyzing all sorts of 'machine data', including log data and metrics for SQL Server. SQL Monitor gives you the detailed diagnostic view of all your SQL Server instances, and databases. If you have Splunk to monitor your applications and server infrastructure, and SQL Monitor to help you understand the behavior of a complex database system.
| Concept | Splunk | Azure Monitor | Comment |
|---|---|---|---|
| Deployment unit | cluster | cluster | Azure Monitor allows arbitrary cross cluster queries. Splunk does not. |
| Data caches | buckets | Caching and retention policies | Controls the period and caching level for the data. This setting directly impacts the performance of queries and cost of the deployment. |
| Logical partition of data | index | database | Allows logical separation of the data. Both implementations allow unions and joining across these partitions. |
| Structured event metadata | N/A | table | Splunk does not have the concept exposed to the search language of event metadata. Azure Monitor logs has the concept of a table, which has columns. Each event instance is mapped to a row. |
| Data record | event | row | Terminology change only. |
| Data record attribute | field | column | In Azure Monitor, this is predefined as part of the table structure. In Splunk, each event has its own set of fields. |
| Types | datatype | datatype | Azure Monitor datatypes are more explicit as they are set on the columns. Both have the ability to work dynamically with data types and roughly equivalent set of datatypes including JSON support. |
| Query and search | search | query | Concepts are essentially the same between both Azure Monitor and Splunk. |
| Event ingestion time | System Time | ingestion_time() | In Splunk, each event gets a system timestamp of the time that the event was indexed. In Azure Monitor, you can define a policy called ingestion_time that exposes a system column that can be referenced through the ingestion_time() function. |
Functions
The following table specifies functions in Azure Monitor that are equivalent to Splunk functions.
| Splunk | Azure Monitor | Comment |
|---|---|---|
| strcat | strcat() | (1) |
| split | split() | (1) |
| if | iff() | (1) |
| tonumber | todouble() tolong() toint() | (1) |
| upper lower | toupper() tolower() | (1) |
| replace | replace() | (1) Also note that while replace() takes three parameters in both products, the parameters are different. |
| substr | substring() | (1) Also note that Splunk uses one-based indices. Azure Monitor notes zero-based indices. |
| tolower | tolower() | (1) |
| toupper | toupper() | (1) |
| match | matches regex | (2) |
| regex | matches regex | In Splunk, regex is an operator. In Azure Monitor, it's a relational operator. |
| searchmatch | In Splunk, searchmatch allows searching for the exact string. | |
| random | rand() rand(n) | Splunk's function returns a number from zero to 231-1. Azure Monitor' returns a number between 0.0 and 1.0, or if a parameter provided, between 0 and n-1. |
| now | now() | (1) |
| relative_time | totimespan() | (1) In Azure Monitor, Splunk's equivalent of relative_time(datetimeVal, offsetVal) is datetimeVal + totimespan(offsetVal). For example, search | eval n=relative_time(now(), '-1d@d') becomes .. | extend myTime = now() - totimespan('1d'). |
(1) In Splunk, the function is invoked with the eval operator. In Azure Monitor, it is used as part of extend or project.
(2) In Splunk, the function is invoked with the eval operator. In Azure Monitor, it can be used with the where operator.
Operators
The following sections give examples of using different operators between Splunk and Azure Monitor.
Note
For the purpose of the following example, the Splunk field rule maps to a table in Azure Monitor, and Splunk's default timestamp maps to the Logs Analytics ingestion_time() column.
Search
In Splunk, you can omit the search keyword and specify an unquoted string. In Azure Monitor you must start each query with find, an unquoted string is a column name, and the lookup value must be a quoted string.
| Splunk | search | search Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' earliest=-24h |
| Azure Monitor | find | find Session.Id'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time()> ago(24h) |
Filter
Azure Monitor log queries start from a tabular result set where the filter. In Splunk, filtering is the default operation on the current index. You can also use where operator in Splunk, but it is not recommended.
| Splunk | search | Event.Rule='330009.2' Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' _indextime>-24h |
| Azure Monitor | where | Office_Hub_OHubBGTaskError |
Getting n events/rows for inspection
Azure Monitor log queries also support take as an alias to limit. In Splunk, if the results are ordered, head will return the first n results. In Azure Monitor, limit is not ordered but returns the first n rows that are found.
| Splunk | head | Event.Rule=330009.2 |
| Azure Monitor | limit | Office_Hub_OHubBGTaskError |
Getting the first n events/rows ordered by a field/column
For bottom results, in Splunk you use tail. In Azure Monitor you can specify the ordering direction with asc.
| Splunk | head | Event.Rule='330009.2' |
| Azure Monitor | top | Office_Hub_OHubBGTaskError |
Extending the result set with new fields/columns
Splunk also has an eval function, which is not to be comparable with the eval operator. Both the eval operator in Splunk and the extend operator in Azure Monitor only support scalar functions and arithmetic operators.
Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Apple can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Microsoft lync for mac download.
| Splunk | eval | Event.Rule=330009.2 |
| Azure Monitor | extend | Office_Hub_OHubBGTaskError |
Rename
Azure Monitor uses the project-rename operator to rename a field. project-rename allows the query to take advantage of any indexes pre-built for a field. Splunk has a rename operator to do the same.
Kexts to Boot OS X El Capitan on OSX86 Includes FakeSMC & NullCPUPowermanagement kext Includes Kexts to Fix ATA & SATA Chipset Problems Kext to Fix EL Capitan USB Issues Included To get more information about these kexts view this guide. Appleusbuhci kext for el capitan hackintosh.
| Splunk | rename | Event.Rule=330009.2 |
| Azure Monitor | project-rename | Office_Hub_OHubBGTaskError |
Format results/Projection
Splunk does not seem to have an operator similar to project-away. You can use the UI to filter away fields.
| Splunk | table | Event.Rule=330009.2 |
| Azure Monitor | project project-away | Office_Hub_OHubBGTaskError |
Aggregation
See the Aggregations in Azure Monitor log queries for the different aggregation functions.
| Splunk | stats | search (Rule=120502.*) |
| Azure Monitor | summarize | Office_Hub_OHubBGTaskError |
Join
Join in Splunk has significant limitations. The subquery has a limit of 10000 results (set in the deployment configuration file), and there a limited number of join flavors.
| Splunk | join | Event.Rule=120103* | stats by Client.Id, Data.Alias | join Client.Id max=0 [search earliest=-24h Event.Rule='150310.0' Data.Hresult=-2147221040] |
| Azure Monitor | join | cluster('OAriaPPT').database('Office PowerPoint').Office_PowerPoint_PPT_Exceptions |
Sort
In Splunk, to sort in ascending order you must use the reverse operator. Azure Monitor also supports defining where to put nulls, at the beginning or at the end.
| Splunk | sort | Event.Rule=120103 |
| Azure Monitor | order by | Office_Hub_OHubBGTaskError |
Multivalue expand
This is a similar operator in both Splunk and Azure Monitor.
| Splunk | mvexpand | mvexpand foo |
| Azure Monitor | mvexpand | mvexpand foo |
Results facets, interesting fields
In Log Analytics in the Azure portal, only the first column is exposed. All columns are available through the API.
| Splunk | fields | Event.Rule=330009.2 |
| Azure Monitor | facets | Office_Excel_BI_PivotTableCreate |
Splunk Log Management
De-duplicate
You can use summarize arg_min() instead to reverse the order of which record gets chosen.
| Splunk | dedup | Event.Rule=330009.2 |
| Azure Monitor | summarize arg_max() | Office_Excel_BI_PivotTableCreate |
Next steps
Splunk Training Free
- Go through a lesson on the writing log queries in Azure Monitor.