@JandrevdM as your search is doing the same search twice just with a different user, you'd be better off just doing a single search and splitting by user, e.g. - similar to your existing search inde...
See more...
@JandrevdM as your search is doing the same search twice just with a different user, you'd be better off just doing a single search and splitting by user, e.g. - similar to your existing search index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$)
| dedup displayName sAMAccountName memberOf
| makemv delim="," memberOf
| mvexpand memberOf
| rex field=memberOf "CN=(?<Group>[^,]+)"
| where Group!=""
| stats values(Group) as Groups by user which will give you a user column and then a multivalue field with the list of groups If you then want to automatically show the differences between the two users, you can following that with | transpose 0 header_field=user
| eval UniqueU1=mvmap(User1, if(User1!=User2,User1,null()))
| eval UniqueU2=mvmap(User2, if(User2!=User1,User2,null()))
| eval Common=mvmap(User1, if(User1=User2,User1,null())) and it will give you a list of groups unique to user 1, user 2 and the common groups. However, your existing search could be more efficiently done with index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$)
| fields displayName sAMAccountName memberOf
| stats latest(*) as * by user
| eval memberOf=split(memberOf,",")
| rex field=memberOf max_match=0 "CN=(?<Group>.+)"
| fields - memberOf If you really want a row by row breakdown of groups, you can do the base search and then just do this | chart count over Group by user
| foreach * [ eval <<FIELD>>=if("<<FIELD>>"="Group", <<FIELD>>, if('<<FIELD>>'=1, "Member", "Missing")) ] which will tell you Membership status of each group per user