I have a search that returns one result, one of the fields is called whatchanged, and this field really has two values within the one field. I used makemv to separate the one value into two values, and then I use mvexpand on the field WhatChanged, followed by diff. It looks like this:
What I am trying to accomplish is identifying what exactly changed between the two fields. Splunk knows the two are different, (as I do to), but it is not telling me from the string of text what has changed.
value 1 = hello my name is mark and I am happy
value 2 - hello my name is mark and I am sad
I would like for the word "sad" to be called out as the change.
Any thoughts on how to do this, or if it is even possible?
I don't know much about your requirements but this might be helpful with some modifications
| makeresults | eval data = "hello my name is mark and I am happy---hello my name is mark and I am sad" | makemv delim="---" data | eval field1= mvindex(data,0), field2=mvindex(data,1) | makemv delim=" " field1 | makemv delim=" " field2 | eval field = mvzip(field1,field2) | table field | mvexpand field | makemv delim="," field | eval field1= mvindex(field,0), field2=mvindex(field,1) | eval diff = if(field1==field2,"",field1."/".field2)