Solved: Splunk query using azure KQL concat

heskez · ‎06-17-2024

Hi there,

I am trying to get some data from MS Defender into a Splunk query.

My original KQL query in azure contains | JOIN KIND INNER. to concat DeviceProcess and DeviceRegistry tables.

The Splunk app I am using:

Splunk https://splunkbase.splunk.com/app/5518

So basically I'd like to do concatenation between DeviceProcess and DeviceRegistry events in advanced hunting query | advhunt in splunk SPL. Is there a suitable Splunk query for this kind of purpose?

KendallW · ‎06-17-2024

Hi @heskez try using the join command:

<left-dataset> | join left=L right=R 
where L.pid = R.pid <right-dataset>

https://docs.splunk.com/Documentation/SCS/current/SearchReference/JoinCommandOverview

View solution in original post

KendallW · ‎06-17-2024

Hi @heskez try using the join command:

<left-dataset> | join left=L right=R 
where L.pid = R.pid <right-dataset>

https://docs.splunk.com/Documentation/SCS/current/SearchReference/JoinCommandOverview

Splunk query using azure KQL concat

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation