Diff help please


I have a search that returns one result, one of the fields is called whatchanged, and this field really has two values within the one field. I used makemv to separate the one value into two values, and then I use mvexpand on the field WhatChanged, followed by diff. It looks like this:

....... | makemv delim="---" WhatChanged | mvexpand WhatChanged | diff attribute=WhatChanged

What I am trying to accomplish is identifying what exactly changed between the two fields. Splunk knows the two are different, (as I do to), but it is not telling me from the string of text what has changed.

For example:

value 1 = hello my name is mark and I am happy

value 2 - hello my name is mark and I am sad

I would like for the word "sad" to be called out as the change.

Any thoughts on how to do this, or if it is even possible?

Tags (1)
0 Karma

Re: Diff help please


I don't know much about your requirements but this might be helpful with some modifications

| makeresults | eval data = "hello my name is mark and I am happy---hello my name is mark and I am sad" |  makemv delim="---" data | eval field1= mvindex(data,0), field2=mvindex(data,1) |  makemv delim=" " field1 | makemv delim=" " field2   | eval field = mvzip(field1,field2) | table field | mvexpand field | makemv delim="," field | eval field1= mvindex(field,0), field2=mvindex(field,1) | eval diff = if(field1==field2,"",field1."/".field2)