I'd assume that the following would be more efficient, but I haven't tried it out.
source=set1.log NOT [search source=set2.log | dedup MAC | fields + MAC ]
i.e find all MACs from set2, then show all events from set1 whose MAC addresses do not match the subsearch.
Fri, 18 Nov 2011 20:30:40 GMT kristian.kolb

This can be achieved by the following search:
<code>source="set1.log" | JOIN type=left MAC [search source="set2.log" | eval x=1] | Where NOT x=1</code>
Explanation:
the subsearch will find events in set2.log and add a new field, x=1 to the event. (that is for D, E, F, G, the field x=1 will be associated to the events)
Then, were doing a LEFT JOIN, on the field MAC (which will return A B C D) , but we are leaving out those events for which x=1 (hence we are leaving out D).
Mon, 20 Jun 2011 23:03:52 GMT Genti