Here is a joinless pattern:
index=ndx sourcetype=srctp requestID=* service IN(ServiceA, ServiceB)
| stats values(service) as service min(_time) as early max(_time) as late by requestID
| where mvcount(service)<2
``` eliminate only ServiceB from results ```
| search service=ServiceA
| eval early=strftime(early,"%c"), late=strftime(late,"%c")
from User warren – Stack Overflow https://stackoverflow.com/questions/79753971/how-to-find-entries-where-the-right-hand-side-of-an-outer-join-query-is-empty/79760194#79760194
via IFTTT