I am trying to minimize or simplify the below search, which has many match filters on further control. Any suggestions or recommendations to handle with lookups rather hard coding in the search itself? index=myindex "PROBLEM" | rex field=_raw "(?<alert_service>^.+?)" | eval alert_suppress = case ( (match(alert_service, "^Swarm_.*")),"1", (match(alert_service, "^HTTPS\s+Certificate\s+Status$") AND match (alert_info, "expire|expired|expires")),"1", (match(alert_service, "^(Disk|Disk_inode|Memory|Load)$")), "1", (match(alert_service, "^Qualys\s+Service\s+Test$") AND match (alert_host, "^(papi|pbo|pfo|pip|ppb|pps|prep|ptp)")),"1", (match(alert_service, "ceph-mon") AND match (alert_host, "^masifdat[0-9][0-9]")),"1", (match(alert_service, "puppet") AND match (alert_host, "(((dbmgmt|dbrac|qkafka|qzkpr|qkafkamgmt|(dbrac-scan)|fproxy|pproxy)\d+)|(dbrac-scan))\.")),"1", (match(alert_service, "crond") AND match (alert_host, "(fproxy|pproxy)[0-9]{2}\.")),"1", match(alert_host, "^(acwin|netmon|vma)"), "1", match(alert_info, "Service check timed out after"), "1", 1 = 1, "0" )   ... View more