Ok, so I a trying my best to evaluate the differences between two search results.

Search 1 gives me a list of "vm_name"
index="1" sourcetype="1" source="1" | search state="running" | table vm_name

Search 2 gives me a list of "hostname"
index="2" source="2*" group=tcpin_connections | dedup hostname | table hostname

Each search is crafted from two different indexes and sourcetypes.

Both of these lists share common field values. For example, in search 1 vm_name can be named "MYPC" and on search 2 hostname is also "MYPC". Both are named MYPC and in reality, they are one and the same. However, I need to create a list that will essentially compare the values of both searches and if they match subtract them from one another and create the NEW list. The goal to remove MATCHED results from both searches to create a "DELTA's" list.

I have tried the "join" command but when I do the results from the second search results are completely messed up. I tried created lookups and added them to one search but I have the same problem. The only thing I can think of is maybe the issue is the search itself may yield metadata somewhere that screws up the results. For example, on search 2 I need to add "dedup hostname" to the search to retrieve an accurate list.