diff

diff

Synopsis

Returns the difference between two search results.

Syntax

diff [position1=int] [position2=int] [attribute=string] [header=bool] [context=bool]

Arguments

position1

Datatype: <int>

Description: The position of a search result to compare to position2. By default, position1=1 and refers to the first search result.

position2

Datatype: <int>

Description: The position of a search result, must be greater than position1. By default, position2=2 and refers to the second search result.

attribute

Datatype: <field>

Description: The field name to be compared between the two search results. By default, attribute=_raw.

header

Datatype: <bool>

Description: Specify whether to show (header=true) or hide a header that explains the diff output. By default, header=false.

context

Datatype: <bool>

Description: Specify whether to show (context=true) or hide context lines around the diff output. By default, context=false.

Description

Compares two search results and returning the difference of the two. Which two search results are compared is specified by the two position values, which default to 1 and 2 (to compare the first two results). By default, the raw text (_raw attribute) of the two search results are compared, but other attributes can be specified with attribute. If header is true, the traditional diff headers are created based on the source keys of the two events, it defaults to false. If context is true, context lines around the diff are shown; it defaults to false.

The diff command should not be used for events that have more than 500 lines, because the results may not be accurate.

Examples

Example 1: Compare the "ip" values of the first and third search results.

Example 2: Compare the 9th search results to the 10th.

See also

set

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the diff command.

• Was this topic useful?
• Post a comment