Migrate Splunk detection rules to Microsoft Sentinel

Double quotes make splunk think the value is a literal string, rather than a field Use single quotes in your coalesce instead, and you should

splunk logo Splunk datadog logo Datadog new relic logo New Relic snowflake coalesce · concat · constants · env · format · join · json_decode · json_path

coalesce معنى Splunk 偵測規則至Microsoft Sentinel 內 coalesce 傳回非Null 的第一個值。 coalesce(null(), Returned val

opposite of coalesce Splunk query will return all the events within a five minute time coalesce fields from different sources or indexes to create a transaction of