Splunk Search

How is my `set diff` returning any difference if I'm using the same macro as both subsearches?

mbrownoutside
Path Finder

I'm building a dashboard where a user selects a dropdown item that has the value of a search macro name and then a single value panel is rendered as a stats dc(X) (where X is a named field found in both macros).

However, I'm running into a strange occurrence where if I select a macro to set diff against itself, the value isn't 0,

| set diff 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname] 
[ `ad_enabled_computer_objects_no_vdi_all` 
| fields asset_hostname]

This occurs on many macros that return results from many different data sources.

Has anyone experienced this with set diff ?

Thanks

Tags (3)
0 Karma

woodcock
Esteemed Legend

Because you are using subsearches which have both time, size and memory available limits, which may be hit at different places for different runs of the same search. There are MUCH better ways to do diffs than set diff and I always use those other ways. I have never had to use set diff to get the job done.

0 Karma

mbrownoutside
Path Finder

IT was my macro SPL. Once fixed, the issue did not persist. It happened that the two macros I tested were both incorrect. Of course. 😄

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...