http://www.splunk.com/support/forum:SplunkAdministration/3401 Mon, 13 Feb 2012 17:54:46 PST Mon, 13 Feb 2012 17:54:46 PST en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkAdministration/3401/11110 <p>Thnx worked like a charm!</p> Thu, 15 Oct 2009 03:26:01 PDT CerielTjuh http://www.splunk.com/support/forum:SplunkAdministration/3401/11110 http://www.splunk.com/support/forum:SplunkAdministration/3401/11091 <p>Sure! Let's assume today's file is export1014.txt and yesterday's file was export1013.txt.</p> <p>You need to configure Splunk to index the entire file as one event, so in props.conf you would configure something like this:</p> <div class="wikiCode"><pre> [source::.../export*.txt] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=somethingwhichshouldneverappearinaneventxyz123</pre></div> <p>Once splunk indexes the file as such, you can just use the diff command as I mentioned above:</p> <div class="wikiCode"><pre> source=*export1013.txt OR source=*export1014.txt | diff</pre></div> Wed, 14 Oct 2009 07:36:20 PDT araitz http://www.splunk.com/support/forum:SplunkAdministration/3401/11091 http://www.splunk.com/support/forum:SplunkAdministration/3401/11080 <p>Hi araitz,</p> <p>Let me explain the situation, Novell reports all trustees every night in a txt file:</p> <p>&quot;TRUSTEE&quot;,&quot;SYS:\Icon&quot;,&quot;LONG&quot;,&quot;[Root]&quot;,&quot;RF&quot;<br /> &quot;TRUSTEE&quot;,&quot;SYS:\JAVA&quot;,&quot;LONG&quot;,&quot;SRV.AZL&quot;,&quot;RF&quot;<br /> &quot;TRUSTEE&quot;,&quot;SYS:\LOGIN&quot;,&quot;LONG&quot;,&quot;[Public]&quot;,&quot;RF&quot;</p> <p>I index these files every night and want to compare the results with Splunk, is this even possible?</p> <p>Thnx in advance!</p> Wed, 14 Oct 2009 01:46:35 PDT CerielTjuh http://www.splunk.com/support/forum:SplunkAdministration/3401/11080 http://www.splunk.com/support/forum:SplunkAdministration/3401/11024 <p>Sure, the unix &quot;diff&quot; command :)</p> <p>Splunk &quot;diff&quot; will only compare two search results, so you should index both the files, and then you can use diff:</p> <div class="wikiCode"><pre> source=E:\test\3.log OR source=E:\test\1.log | diff </pre></div> Fri, 09 Oct 2009 08:08:04 PDT araitz http://www.splunk.com/support/forum:SplunkAdministration/3401/11024 http://www.splunk.com/support/forum:SplunkAdministration/3401/11021 <p>Is there a possibility to compare two files? :)</p> Fri, 09 Oct 2009 07:31:36 PDT CerielTjuh http://www.splunk.com/support/forum:SplunkAdministration/3401/11021 http://www.splunk.com/support/forum:SplunkAdministration/3401/11018 <p>I don't think you are using the diff command correctly, as it isn't intended to take a file as an argument. Rather it is designed to show the difference between two search results:</p> <p><a href="http://www.splunk.com/base/Documentation/latest/SearchReference/Diff">http://www.splunk.com/base/Documentation/latest/SearchReference/Diff</a></p> <p>Let me know if I am missing something.</p> Fri, 09 Oct 2009 06:28:45 PDT araitz http://www.splunk.com/support/forum:SplunkAdministration/3401/11018 http://www.splunk.com/support/forum:SplunkAdministration/3401/11011 <p>Hi there,</p> <p>After trying some time, I was not able to compare two files:</p> <p><tt><br /> | file E:\test\3.log | diff E:\test\1.log<br /> </tt></p> <p><strong>1.log</strong><br /> <tt><br /> username=aa<br /> username=bb<br /> </tt></p> <p><strong>3.log</strong><br /> <tt><br /> username=aa<br /> username=cc<br /> username=bb<br /> </tt></p> <p>This is what I get:</p> <p>-username=aa<br /> +username=cc</p> <p>Platform: Windows 2008 Server (32bit)<br /> Splunk: 4.0.4.</p> <p>Hope you can help</p> Fri, 09 Oct 2009 05:44:01 PDT CerielTjuh http://www.splunk.com/support/forum:SplunkAdministration/3401/11011