Running FSQL from Splunk

What is FSQL

Federated Search Query Language (FSQL) is a powerful yet intuitive query language designed specifically for security analysts and threat hunters to search across multiple security data sources through a unified interface. FSQL allows you to retrieve, filter, and analyze security events from diverse platforms without needing to learn different query languages for each system.

To understand FSQL with more details and examples, please go to Introduction to FSQL

How to run FSQL queries as an SPL pipeline command

FSQL is available as a generating command in the Splunk SPL pipeline as...

| fsql <query>

For example:

| fsql QUERY authentication.user.username, authentication.src_endpoint.ip
WITH authentication.status_id = FAILURE
BEFORE 24hrs AFTER 48hrs
FROM 'Active Directory', 'Okta'

FSQL Query Syntax and Examples

Please refer to:

FSQL User Guide for Security Analysts to understand FSQL syntax and examples
From SPL to FSQL: A Security Analyst's Guide to understand it from the perspective of existing Splunk SPL users.

Updated about 10 hours ago