How is my `set diff` returning any difference if I...

mbrownoutside · ‎12-04-2019

I'm building a dashboard where a user selects a dropdown item that has the value of a search macro name and then a single value panel is rendered as a stats dc(X) (where X is a named field found in both macros).

However, I'm running into a strange occurrence where if I select a macro to set diff against itself, the value isn't 0,

| set diff 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname] 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname]

This occurs on many macros that return results from many different data sources.

Has anyone experienced this with set diff ?

Thanks

woodcock · ‎12-05-2019

Because you are using subsearches which have both time, size and memory available limits, which may be hit at different places for different runs of the same search. There are MUCH better ways to do diffs than set diff and I always use those other ways. I have never had to use set diff to get the job done.

mbrownoutside · ‎12-05-2019

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄

How is my `set diff` returning any difference if I'm using the same macro as both subsearches?

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment