Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_source" someLog consistencies  This gives me both consistencies and inconsistencies: sourcetype="my_source" someLog  Note that someLog  is just a text used an identifier that's common for both the queries. if the someField was logged as inconsistent it can be logged as consistent in the future.   How can I find those values of someField that are truly inconsistent in a given time frame, retrospectively?i.e. if currently values are inconsistent I want to be able to search (in the past or future relative to the current search) those values that are truly inconsistent - not part of the consistent results in that time frame ... View more

I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index=some_index "consistent" someField IN (fieldValuesFromPrevMsg) | dedup someField   I want to check whether a field seen in the first search is part of the second search (which has a slightly different query but has same field) in a custom time frame.(could be in the future relative to the first search or in the past) I'm new to splunk, can someone please help me with this?     ... View more