Splunk Search

How is my `set diff` returning any difference if I'm using the same macro as both subsearches?

mbrownoutside
Path Finder

I'm building a dashboard where a user selects a dropdown item that has the value of a search macro name and then a single value panel is rendered as a stats dc(X) (where X is a named field found in both macros).

However, I'm running into a strange occurrence where if I select a macro to set diff against itself, the value isn't 0,

| set diff 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname] 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname]

This occurs on many macros that return results from many different data sources.

Has anyone experienced this with set diff ?

Thanks

Tags (3)
0 Karma

woodcock
Esteemed Legend

Because you are using subsearches which have both time, size and memory available limits, which may be hit at different places for different runs of the same search. There are MUCH better ways to do diffs than set diff and I always use those other ways. I have never had to use set diff to get the job done.

0 Karma

mbrownoutside
Path Finder

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...