Instructions

  1. In Advanced Mode, converting SPL to CQL can generate intermediate output with uf (unknown fields).
  2. Map uf fields to relevant LogScale/NGSIEM fields and convert again to get final results.
  3. Conversion Log shows warnings and unsupported functionality.
  4. Manually validate and adjust queries when needed.
  5. Some commands are available only with premium support.
  6. With premium support, our team helps migrate from Splunk to CrowdStrike.
Contact Us for Premium Support

Product Walkthrough

October 2025
SPL TO CQL
Advanced Mode

Input SPL

Output CrowdStrike CQL

Your converted CQL will appear here...

Field names and dataset references match your Falcon LogScale mappings.

Understands observability SPL patterns out of the box.Clean, schema aware CrowdStrike CQL.
Talk to us