diff
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
diff
Synopsis
Returns the difference between two search results.
Syntax
diff [position1=int] [position2=int] [attribute=string] [header=bool] [context=bool]
Arguments
- position1
- Datatype: <int>
- Description:
- position2
- Datatype: <int>
- Description:
- attribute
- Datatype: <string>
- Description:
- header
- Datatype: <bool>
- Description: If 'header' is true, a header is shown that explains the diff output; it defaults to false
- context
- Datatype: <bool>
- Description: If 'context' is true, context lines around the diff are shown; it defaults to false.
Description
Compares two search results, returning the 'diff' of the two. Which two search results are compared is specified by the two position values, which default to 1 and 2 (i.e., compare the first two results). By default, the raw text of the two search results (i.e., _raw attribute) are compared, but other attributes can be specified with 'attribute'. If 'header' is true, a header is shown that explains the diff output; it defaults to false. If 'context' is true, context lines around the diff are shown; it defaults to false.
Examples
Example 1: Compare the "ip" values of the first and third search results.
... | diff pos1=1 pos2=3 attribute=ipExample 2: Example usage
... | diff position1=9 position2=10
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.