One reason to not allow advanced search functions on http requests or security events such as filtering by regex is to avoid cost associated to CPU intensive or memory intensive search criteria. If a tenant is comfortable with only having access to search the last 10 days of data, this cost reduction in log retention might help off set the cost associated to complex search functions.

Perhaps there could be a digital signing option in the console to agree to this to enable advanced search functions for that specific tenant or even at a specific LB level.