Check this, from a similar post -

Source1
192.168.0.1
192.168.0.2
192.168.0.3
Source2
192.168.0.1
192.168.0.2
192.168.0.4
192.168.0.5

Output
192.168.0.3

index=AV "VirusAlert" earliest=-1h | field CLIENTIP | dedup CLIENTIP |  eval ip=VirusAlert_ip | eval source1="Y" | table ip source1 
| join ip type=outer [search index=AV "Remove" earliest=-1h| field CLIENTIP | dedup CLIENTIP | eval ip=Remove_ip |
 eval source2 = "Y" | table ip source2 ] 

After you run this command, you should have 3 columns of output: ip source1 source2

The ip column will be the ip address, of course. The source1 column will contain Y if the ip address existed in source1, and the source2 column will contain Y if the ip address existed in source2. To go further, you could append the following to the search to get the variations that you want

To only show IPs that appear in both, add:
| where source1 = "Y" AND source2 = "Y"

To only show IPs that appear ONLY in source1, add:
| where source1 = "Y" AND source2 != "Y"

You get the idea. There might be a more efficient way to do this, but this gives you a "base search" that is pretty flexible. You could even put the "base search" in a macro, which would make it even easier to type.

Note the use of earliest=-1h in the two searches; this will keep your working data size under reasonable control, and help keep the search reasonably quick.