How to write a search to return unique field values for a certain time range that did not exist before that period?

Hello, I am trying to make a search that will return the messages from logs from one set, but not from the other. Unfortunately, I only want the unique results of one set, not the unique results of both of them. So I think that is akin to set A - Set B in set theory. I tried: | set diff [search tag=$env$ level=error earliest=-2d | dedup message | table message] [search tag=$env$ level=error | dedup message | table message] Which works, but gives me the elements unique to both sets combined then, which isn't good for what I want. So I tried to do the difference intersected with the "today" search. Kind of a round about way that would require more searching, but I wanted to get it working. This is my attempt at diff intersect original search: | set intersect [search tag=$env$ level=error earliest=4/9/2016:00:00:00 latest=now | dedup message | table message] [set diff [search tag=$env$ level=error earliest=4/9/2016:00:00:00 latest=now | dedup message | table message] | search NOT [search tag=$env$ level=error | dedup message | table message ]] | return message My syntax is incorrect, so I get Error in 'set' command: Three arguments are required: [] [+(union) | -(diff) | ^(intersect)] []. from Splunk. I tried a bunch of tweaks to the syntax, so I'm probably way off at this point. I'm not entirely sure what the syntax would be to pull this off, if it's possible at all. Finally, I tried to follow this: https://answers.splunk.com/answers/151315/how-to-find-differences-between-two-searches-with-set-diff-command.html My search was: [search tag=$env$ level=error earliest=4/9/2016:00:00:00 latest=now | dedup message | table message] NOT [search tag=$env$ level=error | dedup message | table message] It resulted in an error of: Regex: regular expression is too large Not sure what that means. Anyways, I don't know if any of my searches are salvageable. To repeat, I basically want to pull all of the unique messages (or whichever field I choose) out of a given time period that did not exist before that time period. So for example: **Past:** message: Error 1 timestamp: 1/1/2016 message: Error 2 timestamp:1/2/2016 **Today (or whatever time period is between earliest and latest):** message: Error 1 timestamp: 4/2/2016 message: Error 2 timestamp: 4/3/2016 message: Error 3 timestamp: 4/3/2016 **Final output of new unique messages: ** message: Error 3 Thanks.