Compare Output Values Between Splunk and Dynatrace Using DQL

sharmas2 — Wed, 17 Dec 2025 12:02:03 GMT

Hi,

"I have the following Splunk query, and I'm trying to generate the corresponding output in Dynatrace."

splunk query :-

index=ngss*_sourcefire_secevents | rex field=index "(?<Local_Market>\w.*?)_"
| eval BlockedStatus =
case(Like(src_ip,"64.39.106.%") AND InlineResultID=4 ," Qualys Blocked",
Like(src_ip,"154.59.121.%") AND InlineResultID=4," Qualys Blocked",
Like(src_ip,"64.39.106.%") AND InlineResultID=0," Qualys Not Blocked",
Like(src_ip,"154.59.121.%") AND InlineResultID=0," Qualys Not Blocked",
NOT Like(src_ip,"64.39.106.%") AND InlineResultID=4,"Non Qualys Blocked",
NOT Like(src_ip,"154.59.121.%") AND InlineResultID=4,"Non Qualys Blocked",
NOT Like(src_ip,"64.39.106.%") AND InlineResultID=0,"Non Qualys Not Blocked",
NOT Like(src_ip,"154.59.121.%") AND InlineResultID=0,"Non Qualys Not Blocked")
| stats count by Local_Market BlockedStatus | rename eventtype as "Local Market",count as "Total Critical Events"

corresponding DQL is as below , where i am getting Null value ..
Please not that in DQL Src_ip is consider as "InitiatorIP".

DQL query is as below :-

fetch logs // scanLimitGBytes: , samplingRatio: 1000

| filter contains(dt.security_context,"ngss")
| parse content,"""LD 'InlineResultID":' string:InlineResultID "," """
//| parse content, """LD 'InitiatorIP'[^,]{1,100}?:"InitiatorIP','""""
| fieldsAdd market = substring(dt.security_context, to: indexOf(dt.security_context, "_"))
| parse content, """ LD 'InitiatorIP\":\"' IPADDR:InitiatorIP """
| parse content, """ LD 'InitiatorIP=' IPADDR:InitiatorIP """
| fieldsadd QualysBlocked=if((like(SrcIP"154.59.121%") or like(SrcIP"64.39.106.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),QualysBlocked)
| fieldsadd QualysNotBlocked=if((like(SrcIP"64.39.106%") OR like(SrcIP"154.59.121.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),QualysNotBlocked)
| fieldsadd NonQualysBlocked=if((like(SrcIP"64.39.106%") or like(SrcIP"154.59.121%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),NonQualysBlocked)
| fieldsadd NonQualysNotBlocked=if((like(SrcIP"64.39.106%") or like(SrcIP"154.59.121.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),NonQualysNotBlocked)
| fieldsADD BlockedStatus = coalesce(QualysBlocked,QualysnotBlocked,NonQualysBlocked,NonQualysNotBlocked)
//| fieldsADD Blockedstatus = coalesce(QualysBlocked,QualysnonBlocked)
| summarize count() ,by:{market,BlockedStatus}

Re: Unexpected value in output - Splunk vs Dynatrace

IzabelaRokita — Wed, 17 Dec 2025 12:01:32 GMT

Hey @sharmas2 ,
I just wanted to check in and see if you still need help with this. If so, I’d be happy to look into it for you! 😊
Please let me know what works best for you.

topic Compare Output Values Between Splunk and Dynatrace Using DQL in DQL

Compare Output Values Between Splunk and Dynatrace Using DQL

Re: Unexpected value in output - Splunk vs Dynatrace