Splunk query to Kibana

How to convert this to kibana query language?

index=visiona "field id=\"0\" value=\"0110\"" | rex max_match=0 "field id=\"39\" value=\"(?<code>([0-9A-Z]+))\"" | where code = "00" OR code="N0" OR code="91" | timechart count by code

and this

index=visiona sourcetype=fo_csshi  "<field id="0" value=\"" |  rex max_match=0 "field id=\"2\" value=\"(?<bin>([0-9]+))" |  
where bin in ("544674" ,"547396" ,"547396","455065","455080","472817","477924","490823","477540","524382","477262","477263","523427","416311")
| rex max_match=0 "<service>Transaction service time is (?<servicetime>([0-9]+)) ms</service>" | rex max_match=1 "<field id=\"0\" value=\"(?<msgcode>([0-9]+))\"" | where msgcode="1100" OR msgcode="1120" OR msgcode="1200" OR msgcode="1220" OR msgcode="1420" | stats  perc95(servicetime) as czas_procesowania by msgcode | eval check=if((czas_procesowania<250)  ,"OK","PROBLEM")

And is there any tutorial for rewrite from splunk query to Kibana query?

Kibana and Splunk works in very different ways so there is no easy converter. When working with the Elastic stack you generally need to do a lot more work up front with respect to parsing out fields and values. This blog post contain a discussion on this topic. Once this is done you can build visualizations with filtering and grouping. As you can see this will require you to rethink your approach.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.