I am using diff to compare two results from a search. Everything works great if my search only returns two results. What if my search returns more valid results? Can I perform multiple diffs within the same set of search results?
I am trying to build a daily report that breaks down the details of a specific type of incident. Each time the incident happens, it generates two events. Part of the information needed in the report involves the differences between the two events. The incident can happen any number of times each day.
Specifically the report I am trying to generate is anytime permissions are changed on an object in Active Directory. When this happens, two logs are generated, one with the permissions before the change, and one with the permissions after the change. I use the diff command to look at the two events, identify what the specific change was, and then manipulate it for reporting. The plan was to run the search over “yesterday” and get a list of all the changes.
The problem is once I use the diff command, it compares the two events specified with the argument position1 and postion2, and seems to throw everything else away…
Obviously I can shrink the time window to reduce the likeliness of multiple results, but that is not an acceptable solution. I would rather not run the search in real-time.
I need to be able to diff each pair of events, no matter how many of them are returned by the search.
The diff command in and of itself will only work with exactly two events, yeah... I see two ways around this. Both ways involve merging the two events together into one first, with fields oldvalue and newvalue. I'm sure that'll be easy enough to do.
Option one, you could write a custom search command that performs a diff between two fields of an event, for each event individually. The upside, it'd be fairly straightforward to use in the search and you could publish the command to Splunk Apps. The downside, you'd have to build the command.
Option two, you might get away with some map shenanigans. Untested thoughts:
base search yielding one event for every change, merged together with fields newvalue and oldvalue | map search="stats count | eval value = \"$newvalue$###$oldvalue$\" | makemv delim="###" value | mvexpand value | diff attribute=value"
That should run a diff search for each event yielded by the search before that, comparing the two fields as two events.