topic Re: how to compare two events in one search to highlight what's changed in Splunk Search

how to compare two events in one search to highlight what's changed

sx — Wed, 18 Aug 2021 12:44:14 GMT

Hi, I am trying to compare the between two events (json format), say, I can pipe with "head 2" to output only two events and then compare them and hight light what's changed, something like this:

<search syntax> | head 2

event 1

{

value: 20

status: high

category: A

}

event 2

{

value: 25

status: low

category: A

}

Output after compare looks like this or anything that can highlight the changes:

changed origin new

value 25 20

status low high

category is unchanged, so won't have to be highlighted. any help is appreciated.

Re: how to compare two events in one search to highlight what's changed

sx — Wed, 18 Aug 2021 12:51:53 GMT

To be more clear, the fields could be changed by adding more KV pares, for example, the second event should have a child KV pares like this:

{

value: 25

status: low

category: A

one_more_field: {

key: value

}

And I want this extra KV pare to be highlighted as well.

Re: how to compare two events in one search to highlight what's changed

sx — Fri, 20 Aug 2021 00:23:08 GMT

I think it's a common requirement in our daily operation, no body ever encounter such scenario?

Re: how to compare two events in one search to highlight what's changed

ITWhisperer — Fri, 20 Aug 2021 07:51:01 GMT

Try something like this

Re: how to compare two events in one search to highlight what's changed

sx — Mon, 23 Aug 2021 01:24:36 GMT

it helps, no the exact what I want, but it does work. thank you so much.