diff
diff
Synopsis
Returns the difference between two search results.
Syntax
diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]
Optional arguments
- position1
- Datatype: <int>
- Description: The position of a search result to compare to position2. By default,
position1=1and refers to the first search result.
- position2
- Datatype: <int>
- Description: The position of a search result, must be greater than position1. By default,
position2=2and refers to the second search result.
- attribute
- Datatype: <field>
- Description: The field name to be compared between the two search results. By default,
attribute=_raw.
- diffheader
- Datatype: <bool>
- Description: Specify whether to show (
diffheader=true) or hide a header that explains the diff output. By default,diffheader=false.
- context
- Datatype: <bool>
- Description: Specify whether to show (
context=true) or hide context lines around the diff output. By default,context=false.
- maxlen
- Datatype: <int>
- Description: Controls the maximum content in bytes diffed from the two events. By default,
maxlen=100000, meaning 100KB; ifmaxlen=0, there is no limit.
Description
Compares two search results and returning the difference of the two. Which two search results are compared is specified by the two position values, which default to 1 and 2 (to compare the first two results). By default, the raw text (_raw attribute) of the two search results are compared, but other attributes can be specified with attribute. If diffheader is true, the traditional diff headers are created based on the source keys of the two events, it defaults to false. If context is true, context lines around the diff are shown; it defaults to false. If maxlen is provided, it controls the maximum content in bytes diffed from the two events. It defaults to 100000. If maxlen=0, there is no limit.
Examples
Example 1: Compare the "ip" values of the first and third search results.
... | diff pos1=1 pos2=3 attribute=ipExample 2: Compare the 9th search results to the 10th.
... | diff position1=9 position2=10See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the diff command.
This documentation applies to the following versions of Splunk: 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.
example :
my events in my log presents.logs are :
2010-12-24 00:00:00 kid=corey christmas_presents=9
2011-12-24 00:00:00 kid=corey christmas_presents=3
2012-12-24 00:00:00 kid=corey christmas_presents=10
To detect a difference between the most recent and the previous number of presents, we can use diff.
With limited details :
source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true
@@ -1 +1 @@
-10
+3
the prefixes - and + shows the recent and previous valued of the field.
With full details
source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true
*** /Users/ykherian/splunk/feed/presents.log
--- /Users/ykherian/splunk/feed/presents.log
***************
*** 1 ****
! 10
--- 1 ----
! 3
Finally, If I want to check the last value and the one 2 times before, I can use positions :
source=*presents.log kid=corey | diff attribute=christmas_presents position1=1 position2=3