Documentation > Splunk > Search Reference > diff

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Search in the CLI

diff

Contents

diff

Synopsis

Returns the difference between two search results.

Syntax

diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]

Optional arguments

position1
Datatype: <int>
Description: The position of a search result to compare to position2. By default, position1=1 and refers to the first search result.
position2
Datatype: <int>
Description: The position of a search result, must be greater than position1. By default, position2=2 and refers to the second search result.
attribute
Datatype: <field>
Description: The field name to be compared between the two search results. By default, attribute=_raw.
diffheader
Datatype: <bool>
Description: Specify whether to show (diffheader=true) or hide a header that explains the diff output. By default, diffheader=false.
context
Datatype: <bool>
Description: Specify whether to show (context=true) or hide context lines around the diff output. By default, context=false.
maxlen
Datatype: <int>
Description: Controls the maximum content in bytes diffed from the two events. By default, maxlen=100000, meaning 100KB; if maxlen=0, there is no limit.

Description

Compares two search results and returning the difference of the two. Which two search results are compared is specified by the two position values, which default to 1 and 2 (to compare the first two results). By default, the raw text (_raw attribute) of the two search results are compared, but other attributes can be specified with attribute. If diffheader is true, the traditional diff headers are created based on the source keys of the two events, it defaults to false. If context is true, context lines around the diff are shown; it defaults to false. If maxlen is provided, it controls the maximum content in bytes diffed from the two events. It defaults to 100000. If maxlen=0, there is no limit.

Examples

Example 1: Compare the "ip" values of the first and third search results.

... | diff pos1=1 pos2=3 attribute=ip

Example 2: Compare the 9th search results to the 10th.

... | diff position1=9 position2=10

See also

set

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the diff command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Diff"

This documentation applies to the following versions of Splunk: 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!