Scenarios:

1) searching email logs for an exact subject so I use quotes

index=mail sourcetype=xemail subject = "exact subject"

2) searching email logs for subjects that contains [blah blah] so I use *

index=mail sourcetype=xemail subject = *blah blah*

But what about * "blah blah" or * "blah blah" * or "blah blah" * ?

Can anyone explain the best way to search by "is" or "contains" ?

Thank you