Splunk query to Kibana

m.sereda · June 24, 2019, 12:21pm

How to convert this to kibana query language?

index=visiona "field id=\"0\" value=\"0110\"" | rex max_match=0 "field id=\"39\" value=\"(?<code>([0-9A-Z]+))\"" | where code = "00" OR code="N0" OR code="91" | timechart count by code

and this

index=visiona sourcetype=fo_csshi  "<field id="0" value=\"" |  rex max_match=0 "field id=\"2\" value=\"(?<bin>([0-9]+))" |  
where bin in ("544674" ,"547396" ,"547396","455065","455080","472817","477924","490823","477540","524382","477262","477263","523427","416311")
| rex max_match=0 "<service>Transaction service time is (?<servicetime>([0-9]+)) ms</service>" | rex max_match=1 "<field id=\"0\" value=\"(?<msgcode>([0-9]+))\"" | where msgcode="1100" OR msgcode="1120" OR msgcode="1200" OR msgcode="1220" OR msgcode="1420" | stats  perc95(servicetime) as czas_procesowania by msgcode | eval check=if((czas_procesowania<250)  ,"OK","PROBLEM")

And is there any tutorial for rewrite from splunk query to Kibana query?

Christian_Dahlqvist · June 24, 2019, 5:45pm

Kibana and Splunk works in very different ways so there is no easy converter. When working with the Elastic stack you generally need to do a lot more work up front with respect to parsing out fields and values. This blog post contain a discussion on this topic. Once this is done you can build visualizations with filtering and grouping. As you can see this will require you to rethink your approach.

system · July 22, 2019, 5:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.