Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

diff

This documentation applies to the following versions of Splunk: 3.4.6 , 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

diff

Synopsis

Returns the difference between two search results.

Syntax

diff [position1=int] [position2=int] [attribute=string] [header=bool] [context=bool]

Arguments

position1
Datatype: <int>
Description:
position2
Datatype: <int>
Description:
attribute
Datatype: <string>
Description:
header
Datatype: <bool>
Description: If 'header' is true, a header is shown that explains the diff output; it defaults to false
context
Datatype: <bool>
Description: If 'context' is true, context lines around the diff are shown; it defaults to false.


Description

Compares two search results, returning the 'diff' of the two. Which two search results are compared is specified by the two position values, which default to 1 and 2 (i.e., compare the first two results). By default, the raw text of the two search results (i.e., _raw attribute) are compared, but other attributes can be specified with 'attribute'. If 'header' is true, a header is shown that explains the diff output; it defaults to false. If 'context' is true, context lines around the diff are shown; it defaults to false.

Examples

Example 1: Compare the "ip" values of the first and third search results.

... | diff pos1=1 pos2=3 attribute=ipSearch

Example 2: Example usage

... | diff position1=9 position2=10Search


See also

set

Retrieved from "http://www.splunk.com/base/Documentation/4.0.1/SearchReference/Diff"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.