Hi , I tried understanding diff command from spunk.doc unable to understand,could you please let me know use of diff command what exactly it does , it would be great if given in answer with example.Thanks
Hi,
Diff command will give you difference between two search results. Refer below link for example:
https://answers.splunk.com/answers/151315/how-to-find-differences-between-two-searches-with-set-diff...
diff can be used to get the difference between the epoch time.
Please see the below example where i used this query for setting my alert
your base query | eval MyDate=strptime(date,"%d %b %Y %H:%M:%S") | fieldformat StartTime=strptime(MyDate, "%Y-%m-%d %H:%M:%S") | eval Diff=tostring((StartTime-EndTime),"duration")