Hi @niketn , Thank you for your inputs on this. I have tried excluding the warnings using the above and still did not get the desired result. I think the issue is with the requirement itself. The developers are asking to just look for ERROR logs using the key word "error" and not a pattern. All the errors are being listed with the query but the challenge is to categorize those errors as unique. For example an exception like below:  [2020-09-10 16:46:08.696 GMT] ERROR ShopAPIServlet|1070221786|/servlet/s/Sites-Site/dw/shop/v19_3/orders/2300010101/payment_instruments custom.OCAPI [] OCAPI:{"orderNumber":"2300010101","orderStatus":"NEW","orderSource":"APP"} [2020-09-10 16:44:11.182 GMT] ERROR ShopAPIServlet|225074421|/servlet/s/Sites-Site/dw/shop/v19_3/orders/23053842/payment_instruments custom.OCAPI [] OCAPI:{"orderNumber":"23053842","orderStatus":"NEW","orderSource":"APP"}  With just ERROR splunk categorizes these exceptions as unique as I am not ignoring the order number for example....which is expected.  Since they are trying to extract the new error patterns without knowing the what the new patterns would be it ..I am finding it hard to suggest a solution.      ... View more

@niketn Thank you for your reply. I am new to splunk so please help!  In the above query how can i exclude the sourcetype 'warn' to exclude warnings ?    Also I need to dynamically consider the error patterns and the since I do not know what the new error pattern would be, I am only looking for "ERROR" for now. ... View more

Thank you for the reply!! In the example above I do not want all the error count in both indexes.  The error count is needed for unique errors  1. Get all the errors for a time period for both indexes 2. Compare results for both indexes and display  a. Unique error count for unique errors in index 1 and NOT in index 2  b. Unique error count for unique errors in index 2 and NOT in index 1   ... View more

Thank you @ITWhisperer  for the reply. The developers are looking for a unique list of errors in the below format. For example: Suppose below are the results for two queries (unique errors are Italic)   index=prod "errors"   1.error in apple  2. error in banana 3. error in orange  4. error in orange 5. error in apple  6. error in banana     index=dev "errors"   1.error in apple  2. error in banana 3. error in kiwi 4. error in kiwi 5. error in watermelon 6. error in apple  7. error in banana   The query results should look like below:  Unique errors in Prod:  error pattern                 count error in orange                  2 Unique errors in Dev: error pattern                 count error in kiwi                        2 error in watermelon       1 ... View more