This works but if the value is displayed as value="data need to be 

displayed here "

here the value will be displayed only up to "data need to be " and not the complete string which is in next line.

@Aks_PC_20 - If your format is fixed like:

Display details of value=abc and value=def for id=1

Format: <some text> value=<value-1> and value=<value-2> for id=<id>

Then you can use this:

index=* "Letters" 
| rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>.+)\s+for\s+id="
| stats latest(value2) as letter by id

But to extract the proper value and to write the proper regex you first need to define the format of the events in order to know where the value is starting and ending.

I hope this helps!!!

The value of value2 field is dynamic , each event will have different value. First query you mentioned worked but only thing is it consider the value only upto the end of line but does not consider the value which is continued in next line

@Aks_PC_20 - So does that mean in your example?

* value1="abc"

* value2="def for id=1"

(because you mentioned value2 is till the end of the line.)

If this is correct then you can use:

index=* "Letters" 
| rex field=_raw max_match=0 "value=(?<value1>.+)\s+and\s+value=(?<value2>[^\n\r]+)"
| stats latest(value2) as letter by id

I hope this helps!!! Upvote/Karma would be appreciated!!!

Also, remeber that by default regexes are relatively greedy (they match as much as theu can) so if you don't  specify any boundaries to matching withinyour regex, you'll have a runaway one. So, for example,

value=(?<value>.*)

will match the event

value=1, value=2, value=3

and will extract "value" field from the "1" up to the end of the string.

If you matched only

value=(?<value>\d+)

you'd get separate matches for each value