Problem is that process occurs more than once on the target system hence nProcess=1 is not working. index=x process_name=* | stats count (process_name) as nProcess by host process_name | where nProcess = 1 | where host=y gives zero results since all processes occur more than once on this host y Dedup on "host process combination" is also not a good idea. In pseudo sql language I would do select dc(process) from index a where host=X and process not in (select dc(process) from index a where host !=X) I tried following - but results are not consistent Experiment on 2 hosts 2            rundll32.exe        1            iexplore.exe        1            net.exe                  1            test.exe            1            rundll32.exe        So rundll32.exe is not unique since both host 1 and 2 have this value for process_name index=A process_name=* host=1 NOT [search index=A host=2 process_name=*     | fields process_name] | stats count by process_name   process_name count iexplore.exe 6 net.exe 2 test.exe 4   The expected result... but... when extending this to full population except host 1 in the subquery index=A process_name=* host=1  NOT [search index=A process_name=* host!=1     | fields process_name] | stats count by process_name   process_name count iexplore.exe 6 test.exe 4 rundll32.exe 2   Strangely enough rundll32.exe is still in the result but should have been removed since this process occured on host 1 and host 2 (and probably on numerous other hosts as well) ... View more