There is not really any way that we can help you answer your "maybe match, maybe not match" question unless you more fully describe the use case to us. @thambisetty's answer is very good for the question you asked, but there is something else about your system that you have not explained.
What is in each file? LIke, in real life, how would a human being know that two records belonged together, or what to report on?
If there is a single key (for example a1) or combination of keys then use this kind of setup. With a combination of keys, you would set up matchkey1, matchkey2 etc.
(your search that gets all the records of type 1) OR
(your search that gets all the records of type 2)
| fields index foo bar ...list all the fields you want from any record ...
| rename COMMENT as "build a synthetic key if no key exists with the same name and value on each file"
| eval matchkey1 = case(record is type 1, build the match key for type 1 records,
record is type 2, build the match key for type 2 records)
| rename COMMENT as "make sure the names and data values are identifiable as where they came from"
| eval foo1=case(record is type 1,foo)
| eval foo2=case(record is type 2,foo)
| eval bar1=case(record is type 1,bar)
| eval bar2=case(record is type 2,bar)
| rename COMMENT as "get rid of unneeded fields then stats them all together"
| fields index matchkey1 foo1 foo2 bar1 bar2 ...list all the fields you want from any record ...
| stats values(*) as * by matchkey1
| rename COMMENT as "Compare each field to flag any issues"
| eval myFlag1=case(foo1=foo2,"foo matches",
isnull(foo1) AND isnull(foo2),"foo missing from both"
isnull(foo1),"foo missing from file 1"
isnull(foo2),"foo missing from file 2"
foo1!=foo2,"foo changed")
| eval myFlag2=case(bar1=bar2,"bar matches",
isnull(bar1) AND isnull(bar2),"bar missing from both"
isnull(bar1),"bar missing from file 1"
isnull(bar2),"bar missing from file 2"
bar1!=bar2,"bar changed")
and so on.
... View more