Learn how to translate your Splunk queries to XQL queries in Cortex XSIAM.
To help you easily convert your existing Splunk queries to the Cortex Query Language (XQL) syntax, Cortex XSIAM includes a toggle called Translate to XQL in the query field in the user interface. When building your XQL query and this option is selected, both a SPL query field and XQL query field are displayed, so you can easily add a Splunk query, which is converted to XQL in the XQL query field. This option is disabled by default, so only the XQL query field is displayed.
Important
This feature is still in a Beta state and you will find that not all Splunk queries can be converted to XQL. This feature will be improved upon in the upcoming releases to support greater Splunk query translations to XQL.
The following table details the supported functions in Splunk that can be converted to XQL in Cortex XSIAM with an example of a Splunk query and the resulting XQL query. In each of these examples, the xdr_data
dataset is used.
Splunk Function/Stage | Splunk Query Example | Resulting XQL Query Example |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| The following Splunk functions can be translated to XQL:
|
|
|
|
|
|
|
|
Select Incident Response → Investigation → Query Builder → XQL Search.
Toggle to Translate to XQL, where both a SPL query field and XQL query field are displayed.
Add your Splunk query to the SPL query field.
Click the arrow ().
The XQL query field displays the equivalent Splunk query using the XQL syntax.
You can now decide what to do with this query based on the instructions explained in Create XQL query.