I worked with the tutorial data. Here are my two searches 1: sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1, 2: search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2
I can then join both searches as one, just like this
sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1| table ip1 | join [search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2| table ip2]
with this, you can display both ip1 and ip2
to subtract ip1 and ip2, you can just add eval delta=ip1-ip2
But you should know that we can’t subtract ip address that way. If you work with integers or real, it will be ok but not with ip address
... View more