I have a Filter, a Query, and a QueryViewer.  The query is set up to match the filter, and the query viewer shows the results of the query.  I'm using the filter to match events that occur between sets of IP addresses, so it looks something like this:

(sourceAddress=1.2.3.4 OR sourceAddress=5.6.7.8 OR sourceAddress=9.8.7.6) AND (destinationAddress=1.2.3.4 OR destinationAddress=5.6.7.8 OR destinationAddress=9.8.7.6)

The problem I'm having is that when I add a fourth address, I will not get any events that match that address.  After experimenting with it, I've found that sometimes adding additional addresses (using an OR operator on each side of the AND) will sometimes narrow the results and sometimes expand the results, when I would expect an OR operator to always expand results.  I'm testing this by manually sending CEF log messages to Arcsight and setting the src, dst, spt, and dpt fields.  Everything seems to work fine if I'm just trying to match pairs of one, two, or three addresses.

Any ideas what might be going on here?