(host=pnr-proxy-prod* OR host=master.menlosecurity.com OR host=pnr-webui-prod)
NOT (source=/var/log/safeview/haproxy.log OR source =/var/log/safeview/nginx-access.log)
(level= OR "error: " OR "ERROR: " OR "warn: " OR "[warn]" OR "WARNING: " OR "INFO:" OR "info:" OR warning: )
| dedup 1 keepempty=false time, msregion,
| bucket time span=5m
| rex field=raw " (?<=[A+Z] - )(?[a-zA-Z]+)"
High level answer would to be find which data is missing and then run your collect command to summary index it. But it would be tricky to find which data is missing considering very heavy amount of data you've. Ideally if you've a specific criteria for which you see data, you need to apply those criteria to both regular search and summary index search and get a diff.