SIEM Query Translator
Source Format
Target Format
Valid
Quick Patterns
Translated Query
high confidenceSecurityEvent | where EventCode == "4625" and src_ip == "10.0.0.1"
Translation Diff
Preserved (1) Modified (2) Lost (1)
EventCode=4src_ip=1searchAND
Confidence Breakdown
| Field | Value | Confidence↕ | Reason |
|---|---|---|---|
| EventCode | 4625 | HIGH | Direct field mapping available |
| src_ip | 10.0.0.1 | HIGH | Direct field mapping available |
Detection engineers constantly rewrite the same logic across SIEM dialects, and a misplaced operator can silently break a rule. This translator converts security queries between Splunk SPL, Microsoft KQL, Elastic Lucene, and Sigma YAML by parsing field-value conditions and boolean logic, then regenerating them in the target syntax — entirely in your browser, with a confidence rating on every translation.
How it works
- Paste a query, then pick its source format and the target format you want (Splunk SPL, KQL, Elastic Lucene, or Sigma YAML).
- The engine parses the query into field-operator-value conditions and boolean connectors, then emits equivalent syntax for the target — for example, mapping Splunk's field=value to KQL's field == "value" inside a where clause.
- It returns a confidence level (high, medium, or low) plus notes and warnings, flagging wildcards, aggregation/piped commands, and Sigma-specific constructs that need manual review rather than guessing at them.
Worked example
Translating a simple Splunk search for failed logins from a single host to KQL.
- Source (Splunk): EventCode=4625 AND src_ip=10.0.0.5 — the parser extracts two conditions joined by AND.
- Map each field=value pair to KQL equality syntax and the AND connector to lowercase "and".
- Generate the KQL: a SecurityEvent table piped to "where EventCode == \"4625\" and src_ip == \"10.0.0.5\"".
A KQL where-clause equivalent of the Splunk search, rated high confidence because it contains only direct field-value conditions with no aggregation or wildcards.
Frequently asked questions
- Which query languages are supported?
- Four: Splunk SPL, Microsoft KQL (used by Sentinel and Defender), Elastic Lucene/KQL query syntax, and Sigma YAML detection rules. You can translate between any pair of these formats in either direction.
- Why is some output marked medium or low confidence?
- Confidence drops when the query uses features that do not map cleanly — aggregation or piped commands, wildcards, or nested field names. Sigma translations are always rated at most medium because logsource and modifier mappings require manual review.
- Does the translator run on a server or send my queries anywhere?
- It runs entirely client-side in your browser using pattern-based parsing. Your queries are never uploaded, which matters because detection logic can reveal sensitive details about your environment and monitoring strategy.
- Will translated queries work without any edits?
- Simple field-value queries usually translate directly, but the tool is a starting point, not a guarantee. Always validate translated rules against your platform's schema and field names — table and field naming differs across SIEMs even when the logic is identical.