Translate to XQL - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2025-01-19
Category
Administrator Guide
Abstract

Learn how to translate your Splunk queries to XQL queries in Cortex XDR.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

To help you easily convert your existing Splunk queries to the Cortex Query Language (XQL) syntax, Cortex XDR includes a toggle called Translate to XQL in the query field in the user interface. When building your XQL query and this option is selected, both a SPL query field and XQL query field are displayed, so you can easily add a Splunk query, which is converted to XQL in the XQL query field. This option is disabled by default, so only the XQL query field is displayed.

Important

This feature is still in a Beta state and you will find that not all Splunk queries can be converted to XQL. This feature will be improved upon in the upcoming releases to support greater Splunk query translations to XQL.