Hi everyone, My post is huge. sorry for that. I need suggestion from you for the query I framed.

I have 2 lookup used (lookfileA, lookfileB)

column: BaseA > count by division in lookupfileA
column: Column_IndexA > to compare lookfileA under indexA and get matching host count
column: BaseB > count by division in lookupfileB
column: Inscope > count by division in lookupfileB with Active status
column: Column_OtherIndexes > to compare lookfileB under otherindexes and get matching host count

index=indexA
| lookup lookfileA host as hostname OUTPUTNEW Division
| fields hostname,Division
| stats dc(hostname) as "Column_IndexA" by Division
| append
[| tstats count where index IN ("win","linux") by host
| eval host=upper(host)
| fields - count
| join type=inner host
[| inputlookup lookfileA
| fields host, Division
| eval host=upper(host)]
| stats count as "Column_OtherIndexes" by Division]
| append
[| inputlookup lookfileA
| stats count as "BaseA" by Division]
| append
[| inputlookup lookfileB
| stats count as BaseB by category
| where category IN ("Win","Linux")
| rename category as Division]
| append
[| inputlookup lookfileB
| stats count as Inscope by category,status
| where category IN ("Win","Linux") AND status="Active"
| rename category as Division]
| fields Division,BaseB,Inscope,"Column_OtherIndexes","BaseA","Column_IndexA"
| stats values(*) as * by Division
| table Division,BaseB,Inscope,"Column_OtherIndexes","BaseA","Column_IndexA"
| eval Difference="Column_IndexA" - "Column_OtherIndexes"
| fillnull value=0
| addtotals col=t row=f labelfield=Division label=Total

Below is the sample output and I need to get difference column. Used eval command but getting error