https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580068#M13359 <P>The <FONT face="courier new,courier">diff</FONT> command does indeed work on strings, but produces output like that of the Linux diff command, which probably is not what you seek.</P><P>&nbsp;</P><LI-CODE lang="markup">@@ -1 +1 @@ -Bar Foo1.txt Foo Bar1.txt +Bar 1.txt Foo Bar1.txt</LI-CODE><P>I regret that don't know how to solve the problem.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Jan 2022 00:55:25 GMT richgalloway 2022-01-06T00:55:25Z https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580015#M13356 <P>Hello,</P><P>i have a log file which is capturing processed files.</P><P>The file text always has the same string, its just the date prefix which changes.&nbsp;<BR />So i would like to read in the files processed today and compare to yesterday and how the difference.</P><P>I have used the answers to other questions to get the file date read in by day, however the diff command does not work, is this only for integers rather than string.</P><P><SPAN class=""><SPAN class="">&nbsp; Successfully</SPAN> <SPAN class="">processed</SPAN> <SPAN class="">file</SPAN></SPAN> <SPAN class="">20211105-zone-Foo</SPAN>&nbsp;Bar<SPAN class="">1.txt</SPAN></P><P><SPAN class=""><SPAN class="">&nbsp; Successfully processed file</SPAN> 20211105-zone-Bar 1.txt</SPAN></P><P><SPAN class="">&nbsp;&nbsp;<SPAN class="">Successfully processed file</SPAN> 20211106_zone-Foo&nbsp;Bar1.txt</SPAN></P><P><SPAN class="">&nbsp;&nbsp;<SPAN class="">Successfully processed file</SPAN> 20211106-zone-Bar Foo1.txt</SPAN></P><P>&nbsp;</P><P><SPAN class="">index=foo source=bar earliest=-1d@d latest=now "Successfully processed file"<BR />| rex "\-zone\-(?&lt;File&gt;.+)"<BR />| eval Day=if(_time&lt;relative_time(now(),"@d"),"Yesterday","Today")<BR />| chart values(File) by Day<BR />| eval Diff=Yesterday-Today<BR />| where Yesterday!=Today</SPAN></P><P>&nbsp;</P><P><SPAN class="">i would like to report that&nbsp;Bar 1.txt and&nbsp;Bar Foo1.txt are the differences.</SPAN></P> Wed, 05 Jan 2022 15:13:01 GMT https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580015#M13356 ssaenger 2022-01-05T15:13:01Z https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580068#M13359 <P>The <FONT face="courier new,courier">diff</FONT> command does indeed work on strings, but produces output like that of the Linux diff command, which probably is not what you seek.</P><P>&nbsp;</P><LI-CODE lang="markup">@@ -1 +1 @@ -Bar Foo1.txt Foo Bar1.txt +Bar 1.txt Foo Bar1.txt</LI-CODE><P>I regret that don't know how to solve the problem.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Jan 2022 00:55:25 GMT https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580068#M13359 richgalloway 2022-01-06T00:55:25Z https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580079#M13360 <P>Please check this.. this works fine picking up the Date and File name..</P><LI-CODE lang="markup">| makeresults | eval log= "Successfully processed file 20211105-zone-Foo Bar1.txt Successfully processed file 20211105-zone-Bar 1.txt Successfully processed file 20211106_zone-Foo Bar1.txt Successfully processed file 20211106-zone-Bar Foo1.txt" | rex field=log max_match=0 "(?P&lt;Date&gt;\d+)\-zone\-(?&lt;File&gt;.+)" | table Date File</LI-CODE><P>&nbsp;</P><P>i have come up with compare logic, but the eval works only once.. not sure of how to do the eval multiple times..&nbsp; &nbsp;as you have the real logs, pls check this and update us what happen:</P><P>| makeresults | eval log= "Successfully processed file 20211105-zone-Foo Bar1.txt<BR />Successfully processed file 20211105-zone-Bar 1.txt<BR />Successfully processed file 20211106_zone-Foo Bar1.txt<BR />Successfully processed file 20211106-zone-Bar Foo1.txt"<BR />| rex field=log max_match=0 "(?P&lt;Date&gt;\d+)\-zone\-(?&lt;File&gt;.+)"<BR />| eval compare=strptime(Date,"%Y%m%d")<BR />| where compare &gt; strptime(Date,"%Y%m%d")<BR />| table Date File Day</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex-date.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17422i5552D09F1BF5B1E3/image-size/large?v=v2&amp;px=999" role="button" title="rex-date.png" alt="rex-date.png" /></span></P> Thu, 06 Jan 2022 03:56:24 GMT https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580079#M13360 inventsekar 2022-01-06T03:56:24Z https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580108#M13361 <LI-CODE lang="markup">| makeresults | eval _raw= "Successfully processed file 20211105-zone-Foo Bar1.txt Successfully processed file 20211105-zone-Bar 1.txt Successfully processed file 20211106-zone-Foo Bar1.txt Successfully processed file 20211106-zone-Bar Foo1.txt" | multikv noheader=t | table _raw ``` The lines above set up example data (correcting typo?) ``` | rex "(?&lt;date&gt;\d+)\-zone\-(?&lt;file&gt;.+)" | stats count by file | where count = 1</LI-CODE> Thu, 06 Jan 2022 11:22:07 GMT https://community.splunk.com/t5/Alerting/Compare-text-strings-over-2-days/m-p/580108#M13361 ITWhisperer 2022-01-06T11:22:07Z