What you’re describing can be done either with join (the more "obvious" path), or stats:
join:
index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="1"
| stats count by uniquehash times
| fields - count
| rename times as unique1
| join uniquehash
[| search index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="2"
| stats count by uniquehash times
| fields - count
| rename times as unique2 ]
Note, using join is generally not suggested – the innermost search will be capped at 60s run time or 50k rows returned (so run the fastest/shortest search innermost)
Additionally, this will get very cumbersome if you need to do more than a couple "uniqueid" comparisons
stats:
index=ndx sourcetype=srctp uniquehash=* times=* uniqueid=*
| eval idkt=uniqueid+","+times
| stats values(idkt) as idkt by uniquehash
| where mvcount(idkt)>1
| mvexpand idkt
| rex field=idkt "(?<uniqueid>\S+)\s(?<times>.+)"
| table uniquehash uniqueid times
from User warren – Stack Overflow https://stackoverflow.com/questions/44939134/comparing-search-results-from-two-separate-searches/73081830#73081830
via IFTTT