Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How is my `set diff` returning any difference if I'm using the same macro as both subsearches?

mbrownoutside
Path Finder
‎12-04-2019 06:31 PM

I'm building a dashboard where a user selects a dropdown item that has the value of a search macro name and then a single value panel is rendered as a stats dc(X) (where X is a named field found in both macros).

However, I'm running into a strange occurrence where if I select a macro to set diff against itself, the value isn't 0, 

| set diff 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname] 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname]

This occurs on many macros that return results from many different data sources.

Has anyone experienced this with set diff ?

Thanks

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2019 07:39 AM

Because you are using subsearches which have both time, size and memory available limits, which may be hit at different places for different runs of the same search. There are MUCH better ways to do diffs than set diff and I always use those other ways. I have never had to use set diff to get the job done.

0 Karma
Reply

mbrownoutside
Path Finder
‎12-05-2019 05:58 AM

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...