hortonew/Splunk-one-way-diff.txt

## Splunk-one-way-diff.txt
| set diff
[| makeresults count=1 | eval users="user1 user2 user6" | makemv users | mvexpand users | table users | append [search sourcetype=linux_secure logged_in_user!="" | table users] | stats values(users) as users | mvexpand users | table users]
[search sourcetype=linux_secure logged_in_user!="" | stats values(logged_in_user) as users | mvexpand users | table users]
	\| set diff
	[\| makeresults count=1 \| eval users="user1 user2 user6" \| makemv users \| mvexpand users \| table users \| append [search sourcetype=linux_secure logged_in_user!="" \| table users] \| stats values(users) as users \| mvexpand users \| table users]
	[search sourcetype=linux_secure logged_in_user!="" \| stats values(logged_in_user) as users \| mvexpand users \| table users]