This course teaches you how to search and navigate in Splunk, use fields, get statistics from your data, create reports, dashboards, lookups, and alerts. Scenario-based examples and hands-on challenges will enable you to create robust searches, reports, and charts. It will also introduce you to Splunk's datasets features and Pivot interface.
- Mac Os Logs For Splunk Training Course
- Mac Os Logs For Splunk Training 2017
- Macos Logs For Splunk Training Free
Information on hex editors available for macos and linux free. This article is intended to assist users who are familiar with Splunk to learn the Kusto query language to write log queries in Azure Monitor. Direct comparisons are made between the two to understand key differences and also similarities where you can leverage your existing knowledge.
Structure and concepts
The following table compares concepts and data structures between Splunk and Azure Monitor logs.
Concept | Splunk | Azure Monitor | Comment |
---|---|---|---|
Deployment unit | cluster | cluster | Azure Monitor allows arbitrary cross cluster queries. Splunk does not. |
Data caches | buckets | Caching and retention policies | Controls the period and caching level for the data. This setting directly impacts the performance of queries and cost of the deployment. |
Logical partition of data | index | database | Allows logical separation of the data. Both implementations allow unions and joining across these partitions. |
Structured event metadata | N/A | table | Splunk does not have the concept exposed to the search language of event metadata. Azure Monitor logs has the concept of a table, which has columns. Each event instance is mapped to a row. |
Data record | event | row | Terminology change only. |
Data record attribute | field | column | In Azure Monitor, this is predefined as part of the table structure. In Splunk, each event has its own set of fields. |
Types | datatype | datatype | Azure Monitor datatypes are more explicit as they are set on the columns. Both have the ability to work dynamically with data types and roughly equivalent set of datatypes including JSON support. |
Query and search | search | query | Concepts are essentially the same between both Azure Monitor and Splunk. |
Event ingestion time | System Time | ingestion_time() | In Splunk, each event gets a system timestamp of the time that the event was indexed. In Azure Monitor, you can define a policy called ingestion_time that exposes a system column that can be referenced through the ingestion_time() function. |
Functions
The following table specifies functions in Azure Monitor that are equivalent to Splunk functions.
Splunk | Azure Monitor | Comment |
---|---|---|
strcat | strcat() | (1) |
split | split() | (1) |
if | iff() | (1) |
tonumber | todouble() tolong() toint() | (1) |
upper lower | toupper() tolower() | (1) |
replace | replace() | (1) Also note that while replace() takes three parameters in both products, the parameters are different. |
substr | substring() | (1) Also note that Splunk uses one-based indices. Azure Monitor notes zero-based indices. |
tolower | tolower() | (1) |
toupper | toupper() | (1) |
match | matches regex | (2) |
regex | matches regex | In Splunk, regex is an operator. In Azure Monitor, it's a relational operator. |
searchmatch | In Splunk, searchmatch allows searching for the exact string. | |
random | rand() rand(n) | Splunk's function returns a number from zero to 231-1. Azure Monitor' returns a number between 0.0 and 1.0, or if a parameter provided, between 0 and n-1. |
now | now() | (1) |
relative_time | totimespan() | (1) In Azure Monitor, Splunk's equivalent of relative_time(datetimeVal, offsetVal) is datetimeVal + totimespan(offsetVal). For example, search | eval n=relative_time(now(), '-1d@d') becomes .. | extend myTime = now() - totimespan('1d') . |
(1) In Splunk, the function is invoked with the
(2) In Splunk, the function is invoked with the
eval
operator. In Azure Monitor, it is used as part of extend
or project
.(2) In Splunk, the function is invoked with the
eval
operator. In Azure Monitor, it can be used with the where
operator.Operators
The following sections give examples of using different operators between Splunk and Azure Monitor.
Note
For the purpose of the following example, the Splunk field rule maps to a table in Azure Monitor, and Splunk's default timestamp maps to the Logs Analytics ingestion_time() column.
![Splunk log server Splunk log server](https://www.splunk.com/content/dam/splunk2/images/social/D2E-social.jpg)
Search
In Splunk, you can omit the
search
keyword and specify an unquoted string. In Azure Monitor you must start each query with find
, an unquoted string is a column name, and the lookup value must be a quoted string.Splunk | search | search Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' earliest=-24h |
Azure Monitor | find | find Session.Id'c8894ffd-e684-43c9-9125-42adc25cd3fc' and ingestion_time()> ago(24h) |
Filter
Azure Monitor log queries start from a tabular result set where the filter. In Splunk, filtering is the default operation on the current index. You can also use
where
operator in Splunk, but it is not recommended.Splunk | search | Event.Rule='330009.2' Session.Id='c8894ffd-e684-43c9-9125-42adc25cd3fc' _indextime>-24h |
Azure Monitor | where | Office_Hub_OHubBGTaskError |
Getting n events/rows for inspection
Azure Monitor log queries also support
take
as an alias to limit
. In Splunk, if the results are ordered, head
will return the first n results. In Azure Monitor, limit is not ordered but returns the first n rows that are found.Splunk | head | Event.Rule=330009.2 |
Azure Monitor | limit | Office_Hub_OHubBGTaskError |
Getting the first n events/rows ordered by a field/column
For bottom results, in Splunk you use
tail
. In Azure Monitor you can specify the ordering direction with asc
.Splunk | head | Event.Rule='330009.2' |
Azure Monitor | top | Office_Hub_OHubBGTaskError |
Extending the result set with new fields/columns
Splunk also has an
eval
function, which is not to be comparable with the eval
operator. Both the eval
operator in Splunk and the extend
operator in Azure Monitor only support scalar functions and arithmetic operators.Splunk | eval | Event.Rule=330009.2 |
Azure Monitor | extend | Office_Hub_OHubBGTaskError |
Rename
Azure Monitor uses the
project-rename
operator to rename a field. project-rename
allows the query to take advantage of any indexes pre-built for a field. Splunk has a rename
operator to do the same.Splunk | rename | Event.Rule=330009.2 |
Azure Monitor | project-rename | Office_Hub_OHubBGTaskError |
Format results/Projection
Splunk does not seem to have an operator similar to
project-away
. You can use the UI to filter away fields.Splunk | table | Event.Rule=330009.2 |
Azure Monitor | project project-away | Office_Hub_OHubBGTaskError |
Aggregation
See the Aggregations in Azure Monitor log queries for the different aggregation functions.
Splunk | stats | search (Rule=120502.*) |
Azure Monitor | summarize | Office_Hub_OHubBGTaskError |
Join
Join in Splunk has significant limitations. The subquery has a limit of 10000 results (set in the deployment configuration file), and there a limited number of join flavors.
Splunk | join | Event.Rule=120103* | stats by Client.Id, Data.Alias | join Client.Id max=0 [search earliest=-24h Event.Rule='150310.0' Data.Hresult=-2147221040] |
Azure Monitor | join | cluster('OAriaPPT').database('Office PowerPoint').Office_PowerPoint_PPT_Exceptions |
Sort
In Splunk, to sort in ascending order you must use the
reverse
operator. Azure Monitor also supports defining where to put nulls, at the beginning or at the end.Splunk | sort | Event.Rule=120103 |
Azure Monitor | order by | Office_Hub_OHubBGTaskError |
Multivalue expand
This is a similar operator in both Splunk and Azure Monitor.
Splunk | mvexpand | mvexpand foo |
Azure Monitor | mvexpand | mvexpand foo |
Results facets, interesting fields
In Log Analytics in the Azure portal, only the first column is exposed. All columns are available through the API.
Splunk | fields | Event.Rule=330009.2 |
Azure Monitor | facets | Office_Excel_BI_PivotTableCreate |
De-duplicate
You can use
summarize arg_min()
instead to reverse the order of which record gets chosen.Mac Os Logs For Splunk Training Course
Splunk | dedup | Event.Rule=330009.2 |
Azure Monitor | summarize arg_max() | Office_Excel_BI_PivotTableCreate |
Mac Os Logs For Splunk Training 2017
Next steps
Macos Logs For Splunk Training Free
- Go through a lesson on the writing log queries in Azure Monitor.