diff
Description
The diff
command mimics *nix diff output and compares two search results at a time by returning the line-by-line difference, or comparison, of the two. The two search results compared are specified by the two position values position1
and position2
. These values default to 1 and 2 to compare the first two results.
By default, the text (_raw
field) of the two search results is compared. Other fields can be compared by selecting another field using attribute
.
Syntax
diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]
Optional arguments
- position1
- Datatype: <int>
- Description: Of the table of input search results, selects a specific search result to compare to position2.
- Default:
position1=1
and refers to the first search result.
- position2
- Datatype: <int>
- Description: Of the table of input search results, selects a specific search result to compare to position1. This value must be greater than position1.
- Default:
position2=2
and refers to the second search result.
- attribute
- Datatype: <field>
- Description: The field name to be compared between the two search results.
- Default:
attribute=_raw
, which refers to the text of the event or result.
- diffheader
- Datatype: <bool>
- Description: If true, show the traditional diff header, naming the "files" compared. The diff header makes the output a valid diff as would be expected by the programmer command-line
patch
command. - Default:
diffheader=false
.
- context
- Datatype: <bool>
- Description: If true, selects context-mode diff output as opposed to the default unified diff output.
- Default:
context=false
, or unified.
- maxlen
- Datatype: <int>
- Description: Controls the maximum content in bytes diffed from the two events. If
maxlen=0
, there is no limit. - Default:
maxlen=100000
, which is 100KB.
Examples
Example 1:
Compare the "ip" values of the first and third search results.
... | diff pos1=1 pos2=3 attribute=ip
Example 2:
Compare the 9th search results to the 10th.
... | diff position1=9 position2=10
See also
delta | entitymerge |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.1, 8.1.11, 8.1.13, 8.1.14
Feedback submitted, thanks!