Using Subsearch to Narrow Data: Contradictory and Inefficient?

Hey spelunkers,

I am using a search that has many conditionals, and each conditional further narrows the pile of results. This search narrows logs down by information contained in their messages. I am having a problem with the very last conditional. The conditional is to only print CPU messages IF "temperature" or "running" is also in the log. (cpu and temperature) or (cpu and running) will eliminate all non cpu logs, which I want to keep. I have tried many spin-offs on logic like NOT (CPU AND NOT (Temperature OR Running)), trying to say NO to cpu messages if temp or running is NOT in there with it. Let me give an example of what I want. Let's say the below 4 logs are all that is left after passing all the previous conditionals of the search.

log 1: kernel error56483...etc

log 2: cpu over temperature...etc

log 3: cpu left running...etc

log 4: cpu error no harm...etc

I want to keep log 1, 2, and 3. Log 1 was relevant to my previous conditionals, and 2 and 3 have the cpu errors I am looking for. Log 4 is the type of log I want eliminated. It managed to match a previous conditional, but because it contains the word 'cpu' in it without 'temp' or 'running' I know it possesses no significance.

So below is what I did to take care of this, using a subsearch. This seems inefficient and I am hoping I can write a conditional for it in my first search so I do not have to use a subsearch.

source="wineventlog:*" a bunch of conditionals...NOT cpu | append [ search source="wineventlog:*" cpu AND (temperature OR running) ]

Basically what this does, after all the narrowing in the first search, is at the end it eliminates ALL cpu messages. Then the subsearch does another whole query ONLY finding 'cpu and temp' or 'cpu and running', and attaches this to the first search, so that along with all the other logs I want (like example 1) I now also have cpu messages that only contain temp or running. Hopefully you understand.

This produces the results I want it to, logs 1 2 and 3, but I am trying to figure out a more efficient way to do this.

Thanks for any help!