Splunk Cloud Platform

Search Reference



The diff command mimics *nix diff output and compares two search results at a time by returning the line-by-line difference, or comparison, of the two. The two search results compared are specified by the two position values position1 and position2. These values default to 1 and 2 to compare the first two results.

By default, the text (_raw field) of the two search results is compared. Other fields can be compared by selecting another field using attribute.


diff [position1=int] [position2=int] [attribute=string] [diffheader=bool] [context=bool] [maxlen=int]

Optional arguments

Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position2.
Default: position1=1 and refers to the first search result.
Datatype: <int>
Description: Of the table of input search results, selects a specific search result to compare to position1. This value must be greater than position1.
Default: position2=2 and refers to the second search result.
Datatype: <field>
Description: The field name to be compared between the two search results.
Default: attribute=_raw, which refers to the text of the event or result.
Datatype: <bool>
Description: If true, show the traditional diff header, naming the "files" compared. The diff header makes the output a valid diff as would be expected by the programmer command-line patch command.
Default: diffheader=false.
Datatype: <bool>
Description: If true, selects context-mode diff output as opposed to the default unified diff output.
Default: context=false, or unified.
Datatype: <int>
Description: Controls the maximum content in bytes diffed from the two events. If maxlen=0, there is no limit.
Default: maxlen=100000, which is 100KB.


Example 1:

Compare the "ip" values of the first and third search results.

... | diff pos1=1 pos2=3 attribute=ip

Example 2:

Compare the 9th search results to the 10th.

... | diff position1=9 position2=10

See also


Last modified on 01 April, 2024
delta   entitymerge

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters