You can do this without a join like this:
index="xyz-index" userId=*
| rename attributes.privateGroups as privateGroups attributes.publicGroups as publicGroups
Make sure the privateGroups and publicGroups fields exist in all events
| fillnull value="-" privateGroups publicGroups
Because we know fields with “-” in them were filled with fillnull:
| eval both=if(privateGroups!="-" AND publicGroups!="-",1,0)
| eval inPrivate=if(privateGroups!="-",1,0)
| eval inPublic=if(publicGroups!="-",1,0)
Ensure there is only one event per “type” (public-vs-private-vs-both) with userId:
| stats count by userId both inPrivate inPublic
Lastly, give a report of userIds that are in both, just public, and just public:
| stats sum(both) as both_count sum(inPrivate) as private_count sum(inPublic) as public_count by userId
from User warren – Stack Overflow https://stackoverflow.com/questions/62297606/delta-between-two-splunk-search-results/62307259#62307259
via IFTTT