https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552887#M156941 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234662">@akankshayadav</a>&nbsp;</P><P>this search compares the previous event data to the last event data based on your timerange</P><LI-CODE lang="markup">| stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)</LI-CODE> Tue, 25 May 2021 07:05:15 GMT aasabatini 2021-05-25T07:05:15Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552875#M156934 <P>How can we compare different versions of a file?</P> Tue, 25 May 2021 06:23:44 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552875#M156934 akankshayadav 2021-05-25T06:23:44Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552876#M156935 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234662">@akankshayadav</a>&nbsp;</P><P>can you add more details?</P><P>this file is already indexed? where are stored the file? maybe it's better a versioning software?</P><P>Regards</P><P>Alessandro</P> Tue, 25 May 2021 06:28:00 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552876#M156935 aasabatini 2021-05-25T06:28:00Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552877#M156936 <P>I have a file, say abc.csv, which I indexed once having events a b c , then i indexed it again after some days updating it, having events a b c d, again i indexed it at some point of time, having events a c and again then i uploaded it having events a b c.</P><P><BR />My desired output&nbsp;&nbsp;<BR />date 2- d</P><P>date 3- c</P><P>date 4- same<BR /><BR /></P> Tue, 25 May 2021 06:32:13 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552877#M156936 akankshayadav 2021-05-25T06:32:13Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552880#M156938 <P>Try this search to check when is indexed an event</P><P>&nbsp;</P><LI-CODE lang="markup">index=&lt;your index&gt; | eventstats count by _raw | where count=1 | table source _indextime _raw</LI-CODE><P>&nbsp;</P> Tue, 25 May 2021 06:41:06 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552880#M156938 aasabatini 2021-05-25T06:41:06Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552882#M156939 <P>This solution only compares the last and latest ones.. can u give something which compares the latest to all the previous ones.&nbsp;<BR />Regards&nbsp;</P> Tue, 25 May 2021 06:42:41 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552882#M156939 akankshayadav 2021-05-25T06:42:41Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552887#M156941 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234662">@akankshayadav</a>&nbsp;</P><P>this search compares the previous event data to the last event data based on your timerange</P><LI-CODE lang="markup">| stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)</LI-CODE> Tue, 25 May 2021 07:05:15 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552887#M156941 aasabatini 2021-05-25T07:05:15Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552888#M156942 <P>sir can u please elaborate the code , how to frame it properly</P> Tue, 25 May 2021 07:10:01 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552888#M156942 akankshayadav 2021-05-25T07:10:01Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552889#M156943 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234662">@akankshayadav</a>&nbsp;</P><P>please describe how you would like the&nbsp; output search.</P> Tue, 25 May 2021 07:13:31 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552889#M156943 aasabatini 2021-05-25T07:13:31Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552891#M156945 <P>I have a file, say abc.csv, which I indexed once having events a b c , then i indexed it again after some days updating it, having events a b c d, again i indexed it at some point of time, having events a c and again then i uploaded it having events a b c.</P><P><BR />My desired output&nbsp;&nbsp;<BR />date 2- d</P><P>date 3- c</P><P>date 4- same</P> Tue, 25 May 2021 07:15:53 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552891#M156945 akankshayadav 2021-05-25T07:15:53Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552892#M156946 <LI-CODE lang="markup">index= &lt;your index&gt; | stats values(_indextime) as indextime by _raw | convert ctime(indextime)</LI-CODE> Tue, 25 May 2021 07:20:49 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552892#M156946 aasabatini 2021-05-25T07:20:49Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552920#M156955 <P>This solution gives&nbsp; _raw&nbsp; present in all the versions. Not the event which is different.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="akankshayadav_0-1621938511104.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14300i82A80FC90DF92DDC/image-size/medium?v=v2&amp;px=400" role="button" title="akankshayadav_0-1621938511104.png" alt="akankshayadav_0-1621938511104.png" /></span></P><P>&nbsp;</P> Tue, 25 May 2021 10:28:40 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552920#M156955 akankshayadav 2021-05-25T10:28:40Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552937#M156958 <P>ok now you can expand your indextime field</P><LI-CODE lang="markup">index= &lt;your index&gt; | stats values(_indextime) as indextime by _raw | convert ctime(indextime) | mvexpand idextime | table idextime _raw</LI-CODE> Tue, 25 May 2021 13:15:41 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552937#M156958 aasabatini 2021-05-25T13:15:41Z