I am trying to do something in a rather complex search, but I believe I can map it down to the following. I would like to use variable expansion or other (preferably simple) magic to recreate this query: index=xyz severity=WARN ("This" OR "That") So something like index=xyz severity=WARN | eval foo="This" | eval bar="That" | search ($foo$ OR $bar$) There is a caveat that much later in the query I'd also need to filter on A_FieldValue="*$foo$*" ( I am aware of the performance penalty of wildcard prefixes)   ----   Possibly presenting a more specific (less contrived, but still contrived) example would help me find alternate answers:   How would one go about crafting a query to find log messages that contain the current e.g. year month day, as of the time of execution of the query? index=xyz severity=WARN | eval mentionsThisMonth=strftime(_time,"%Y.%m") | search "$mentionsThisMonth$* At this point I'm assuming I'll have to regex into a field and then compare the field to the calculated variable. Better (More performant, less memory and CPU hungry) solutions would be most welcome.    Note: I am absolutely NOT interested in how to use date ranges. Which is all you find when you try to google anything to do with 'search' and 'date' as concepts together. I mean literally that there is a date-like thing in the raw log that isn't quite date-like enough to be automatically parsed out into a field.   Thanks much, ... View more