Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

diff

Description

Compares two search results and returns the line-by-line difference, or comparison, of the two. The two search results compared are specified by the two position values position1 and position2. These values default to 1 and 2 to compare the first two results.

By default, the text (_raw field) of the two search results is compared. Other fields can be compared by selecting another field using attribute.

Syntax

diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]

Optional arguments

position1
Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position2.
Default: position1=1 and refers to the first search result.
position2
Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position1. This value must be greater than position1.
Default: position2=2 and refers to the second search result.
attribute
Datatype: <field>
Description: The field name to be compared between the two search results.
Default: attribute=_raw, which refers to the text of the event or result.
diffheader
Datatype: <bool>
Description: If true, show the traditional diff header, naming the "files" compared. The diff header makes the output a valid diff as would be expected by the programmer command-line patch command.
Default: diffheader=false.
context
Datatype: <bool>
Description: If true, selects context-mode diff output as opposed to the default unified diff output.
Default: context=false, or unified.
maxlen
Datatype: <int>
Description: Controls the maximum content in bytes diffed from the two events. If maxlen=0, there is no limit.
Default: maxlen=100000, which is 100KB.

Examples

Example 1:

Compare the "ip" values of the first and third search results.

... | diff pos1=1 pos2=3 attribute=ip

Example 2:

Compare the 9th search results to the 10th.

... | diff position1=9 position2=10

See also

set

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the diff command.

PREVIOUS
delta 		  NEXT
erex

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.9, 6.4.10, 6.4.11, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 6.4.8, 6.5.0, 6.5.1, 6.5.10

Comments

example :<br />my events in my log presents.logs are :<br /><br />2010-12-24 00:00:00 kid=corey christmas_presents=9<br />2011-12-24 00:00:00 kid=corey christmas_presents=3<br />2012-12-24 00:00:00 kid=corey christmas_presents=10<br /><br /><br />To detect a difference between the most recent and the previous number of presents, we can use diff.<br /><br />With limited details :<br />source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true<br /><br />@@ -1 +1 @@<br />-10<br />+3<br /><br />the prefixes - and + shows the recent and previous valued of the field.<br /><br />With full details<br />source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true<br /><br />*** /Users/ykherian/splunk/feed/presents.log<br />--- /Users/ykherian/splunk/feed/presents.log<br />***************<br />*** 1 ****<br />! 10<br />--- 1 ----<br />! 3<br /><br /><br /><br />Finally, If I want to check the last value and the one 2 times before, I can use positions :<br />source=*presents.log kid=corey | diff attribute=christmas_presents position1=1 position2=3

Ykherian, Splunker
July 25, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters