How is my `set diff` returning any difference if I...

mbrownoutside · ‎12-04-2019

I'm building a dashboard where a user selects a dropdown item that has the value of a search macro name and then a single value panel is rendered as a stats dc(X) (where X is a named field found in both macros).

However, I'm running into a strange occurrence where if I select a macro to set diff against itself, the value isn't 0,

| set diff 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname] 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname]

This occurs on many macros that return results from many different data sources.

Has anyone experienced this with set diff ?

Thanks

woodcock · ‎12-05-2019

Because you are using subsearches which have both time, size and memory available limits, which may be hit at different places for different runs of the same search. There are MUCH better ways to do diffs than set diff and I always use those other ways. I have never had to use set diff to get the job done.

mbrownoutside · ‎12-05-2019

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄

How is my `set diff` returning any difference if I'm using the same macro as both subsearches?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation