SIEM Query Translator

Source Format
Target Format
Valid
Quick Patterns

Translated Query

high confidence
SecurityEvent
| where EventCode == "4625" and src_ip == "10.0.0.1"

Translation Diff

Preserved (1) Modified (2) Lost (1)
EventCode=4src_ip=1searchAND

Confidence Breakdown

FieldValueConfidenceReason
EventCode4625HIGHDirect field mapping available
src_ip10.0.0.1HIGHDirect field mapping available

Detection engineers constantly rewrite the same logic across SIEM dialects, and a misplaced operator can silently break a rule. This translator converts security queries between Splunk SPL, Microsoft KQL, Elastic Lucene, and Sigma YAML by parsing field-value conditions and boolean logic, then regenerating them in the target syntax — entirely in your browser, with a confidence rating on every translation.

How it works

  1. Paste a query, then pick its source format and the target format you want (Splunk SPL, KQL, Elastic Lucene, or Sigma YAML).
  2. The engine parses the query into field-operator-value conditions and boolean connectors, then emits equivalent syntax for the target — for example, mapping Splunk's field=value to KQL's field == "value" inside a where clause.
  3. It returns a confidence level (high, medium, or low) plus notes and warnings, flagging wildcards, aggregation/piped commands, and Sigma-specific constructs that need manual review rather than guessing at them.

Worked example

Translating a simple Splunk search for failed logins from a single host to KQL.

  1. Source (Splunk): EventCode=4625 AND src_ip=10.0.0.5 — the parser extracts two conditions joined by AND.
  2. Map each field=value pair to KQL equality syntax and the AND connector to lowercase "and".
  3. Generate the KQL: a SecurityEvent table piped to "where EventCode == \"4625\" and src_ip == \"10.0.0.5\"".

A KQL where-clause equivalent of the Splunk search, rated high confidence because it contains only direct field-value conditions with no aggregation or wildcards.

Frequently asked questions

Which query languages are supported?
Four: Splunk SPL, Microsoft KQL (used by Sentinel and Defender), Elastic Lucene/KQL query syntax, and Sigma YAML detection rules. You can translate between any pair of these formats in either direction.
Why is some output marked medium or low confidence?
Confidence drops when the query uses features that do not map cleanly — aggregation or piped commands, wildcards, or nested field names. Sigma translations are always rated at most medium because logsource and modifier mappings require manual review.
Does the translator run on a server or send my queries anywhere?
It runs entirely client-side in your browser using pattern-based parsing. Your queries are never uploaded, which matters because detection logic can reveal sensitive details about your environment and monitoring strategy.
Will translated queries work without any edits?
Simple field-value queries usually translate directly, but the tool is a starting point, not a guarantee. Always validate translated rules against your platform's schema and field names — table and field naming differs across SIEMs even when the logic is identical.