Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Compares two search results and returns the line-by-line difference, or comparison, of the two. The two search results compared are specified by the two position values position1 and position2. These values default to 1 and 2 to compare the first two results.

By default, the text (_raw field) of the two search results is compared. Other fields can be compared by selecting another field using attribute.


diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]

Optional arguments

Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position2.
Default: position1=1 and refers to the first search result.
Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position1. This value must be greater than position1.
Default: position2=2 and refers to the second search result.
Datatype: <field>
Description: The field name to be compared between the two search results.
Default: attribute=_raw, which refers to the text of the event or result.
Datatype: <bool>
Description: If true, show the traditional diff header, naming the "files" compared. The diff header makes the output a valid diff as would be expected by the programmer command-line patch command.
Default: diffheader=false.
Datatype: <bool>
Description: If true, selects context-mode diff output as opposed to the default unified diff output.
Default: context=false, or unified.
Datatype: <int>
Description: Controls the maximum content in bytes diffed from the two events. If maxlen=0, there is no limit.
Default: maxlen=100000, which is 100KB.


Example 1:

Compare the "ip" values of the first and third search results.

... | diff pos1=1 pos2=3 attribute=ip

Example 2:

Compare the 9th search results to the 10th.

... | diff position1=9 position2=10

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the diff command.


This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.5, 7.0.3, 7.0.8, 7.0.11, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7


example :<br />my events in my log presents.logs are :<br /><br />2010-12-24 00:00:00 kid=corey christmas_presents=9<br />2011-12-24 00:00:00 kid=corey christmas_presents=3<br />2012-12-24 00:00:00 kid=corey christmas_presents=10<br /><br /><br />To detect a difference between the most recent and the previous number of presents, we can use diff.<br /><br />With limited details :<br />source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true<br /><br />@@ -1 +1 @@<br />-10<br />+3<br /><br />the prefixes - and + shows the recent and previous valued of the field.<br /><br />With full details<br />source=*presents.log kid=corey | diff attribute=christmas_presents diffheader=true context=true<br /><br />*** /Users/ykherian/splunk/feed/presents.log<br />--- /Users/ykherian/splunk/feed/presents.log<br />***************<br />*** 1 ****<br />! 10<br />--- 1 ----<br />! 3<br /><br /><br /><br />Finally, If I want to check the last value and the one 2 times before, I can use positions :<br />source=*presents.log kid=corey | diff attribute=christmas_presents position1=1 position2=3

Ykherian, Splunker
July 25, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters