Previous Topic: Incorrect hostnames | Next Topic: Set permissions for roles to access specific indexes during distributed search
Posts 1–7 of 7
| Post to this topic
Hi there,
After trying some time, I was not able to compare two files:
| file E:\test\3.log | diff E:\test\1.log
1.log
username=aa
username=bb
3.log
username=aa
username=cc
username=bb
This is what I get:
-username=aa
+username=cc
Platform: Windows 2008 Server (32bit)
Splunk: 4.0.4.
Hope you can help
I don't think you are using the diff command correctly, as it isn't intended to take a file as an argument. Rather it is designed to show the difference between two search results:
http://www.splunk.com/base/Documentation/latest/SearchReference/Diff
Let me know if I am missing something.
Is there a possibility to compare two files? :)
Sure, the unix "diff" command :)
Splunk "diff" will only compare two search results, so you should index both the files, and then you can use diff:
source=E:\test\3.log OR source=E:\test\1.log | diff
Hi araitz,
Let me explain the situation, Novell reports all trustees every night in a txt file:
"TRUSTEE","SYS:\Icon","LONG","[Root]","RF"
"TRUSTEE","SYS:\JAVA","LONG","SRV.AZL","RF"
"TRUSTEE","SYS:\LOGIN","LONG","[Public]","RF"
I index these files every night and want to compare the results with Splunk, is this even possible?
Thnx in advance!
Sure! Let's assume today's file is export1014.txt and yesterday's file was export1013.txt.
You need to configure Splunk to index the entire file as one event, so in props.conf you would configure something like this:
[source::.../export*.txt] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=somethingwhichshouldneverappearinaneventxyz123
Once splunk indexes the file as such, you can just use the diff command as I mentioned above:
source=*export1013.txt OR source=*export1014.txt | diff
You must be logged in to post a reply.
