I have 2 query searches, one returns set result A and the other one returns set result B.  I would like to get the results of A/B (results that appear in A but do not appear in B ) To be more specific: First query is: index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "some log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)     The  query returns a list of correlation_id, such as: values(correlation_id) 11 22 33   Second query is almost identical (different log message) : index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "Other log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)       So the result is in the same structure,  for example  values(correlation_id) 11 88     I would like a query which results in A/B, so in this case it should be  values(correlation_id) 22 33   I tried this query but it doesn't work: index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "some log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id) | search NOT in [search index="<...>" "attrs.pod"="<...> "attrs.env"=<...> "Other log message" "accountId=1234" | rex field=line "accountId=(?<account_id>[0-9]+).*correlationId=(?<correlation_id>[\w-]+)" | stats values(correlation_id)]       ... View more