set is an expensive operation.  Use stats.  Assuming that you want to look back 30 minutes, and that cf_app_name can have APP_A and APP_B, where APP_A should have a 5-minute lookback.  Do something like (index="<REDACTED>" cf_org_name="<REDACTED>" cf_app_name="APP_A" earliest=-35m latest=-5m event_type="LogMessage" "msg.logger_name"="<REDACTED>") OR (index="<REDACTED>" cf_org_name="<REDACTED>" cf_app_name="APP_B" earliest=-30m latest=now event_type="LogMessage" "msg.logger_name"="<REDACTED>") | rex field="msg.message" "<REDACTED>" | stats values(cf_app_name) by key timestamp | where mvcount('values(cf_app_name)') = 1 Hope this helps. ... View more