Use this macro : [convert_search_from_ORs_to_IN] definition = rename COMMENT AS "EXTREME WARNING!!! THIS IS ONLY VALID IF YOU ARE USING A SINGLE FIELD!!!!"\ | rex field=search mode=sed "s/^\(\s*\(\s*// s/\s*\)\s*\)$/)/ s/=/ IN(/ s/\s*\)\s*OR\s*\([^=]+=/,/g" errormsg = Description: Author=Gregg Woodcock; this is necessary because if the number of characters in a search string is too great, the search may fail; this conversion saves ~50%! iseval = 0 Then, any place where you are doing something like this: index=foo [|inputlookup tableOfHosts | table host] Change it to this: index=foo [|inputlookup tableOfHosts | table host | `convert_search_from_ORs_to_IN`] ... View more