Sorry for not making notes sooner. I was traveling and just got back to this.

The first code block had an error when I tried to run it:
⚠ Error in 'eval' command: The expression is malformed. Expected ).

I'm fairly sure the assumptions are correct so if the values could be pulled without lockdown, that would be amazing. Do you see where the ")" is supposed to be?

Yes - my apologies. There were a couple missing closing parens in there. I've updated my answer and I believe the searches are correct now.

Ok, that processed, but the output isn't ideal. I sanitized some results so I'll post that.

Here's what I get with the latest code block:

host    Failover    Failover_time   Sync_Status Sync_Status_time    Status  Status_time
cn1 active  1476154441      1476154441      1476154441
gb1 standby 1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443
gb2 active  1476154441  All devices in the device group are in sync 1476154441  All devices in the device group are in sync 1476154441
in1 active  1476154441      1476154441      1476154441
jp1 active  1476154443      1476154443      1476154443
sg1 standby 1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443
sg2 active  1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443
us1 standby 1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443
us2 active  1476154441  All devices in the device group are in sync 1476154441  All devices in the device group are in sync 1476154441
us3 active  1476154443      1476154443      1476154443
xx1 standby 1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443
xx2 active  1476154443  All devices in the device group are in sync 1476154443  All devices in the device group are in sync 1476154443

What I'm expecting is along the lines of:

host    TIME    Failover    Status  SyncStatus
cn1 10/10/2016 22:50    active      Standalone
gb1 10/10/2016 22:50    standby All devices in the device group are in sync In Sync
gb2 10/10/2016 22:50    active  All devices in the device group are in sync In Sync
in1 10/10/2016 22:50    active      Standalone
jp1 10/10/2016 22:50    active      Standalone
sg1 10/10/2016 22:50    standby All devices in the device group are in sync In Sync
sg2 10/10/2016 22:50    active  All devices in the device group are in sync In Sync
us1 10/10/2016 22:50    standby All devices in the device group are in sync In Sync
us2 10/10/2016 22:50    active  All devices in the device group are in sync In Sync
us3 10/10/2016 22:50    active      Standalone
xx1 10/10/2016 22:50    standby All devices in the device group are in sync In Sync
xx2 10/10/2016 22:50    active  All devices in the device group are in sync In Sync

The last block of results is from the code of Sundareshr which is heavily restricted. I had some pictures but I couldn't see how to upload. Sorry.

Hm. Unless you made some inadvertent edits to the table output as you were sanitizing it, I think there's some assumption we're making about the rows that isn't true.

The fact that the Status and the Sync_Status values are always the same, and the "real" values of "In Sync" never make it to the final results, I think means that those two regexes are matching into eachothers events often or all the time, even though my second search is trying to prevent that. Similar problems (and failures of those assumptions) could also explain why the latest times being matched for the three components are always the same.

To troubleshoot, replace the stats command at the end with this:

| table host Failover Failover_time Sync_Status Sync_Status_time Status Status_time 
| convert CTIME(Failover_time) | convert CTIME(Sync_Status_time) | convert CTIME(Status_time)

Thanks for sticking around on this sideview. I ran the troubleshooting code and looks like we're still getting matches passed through to upstream regex (see below). I don't know if I mentioned it, but it is possible for Sync_Status to be NULL or Blank. Status and Failover will NEVER be NULL or blank. I would also assume the times would always match:

host    Failover    Failover_time   Sync_Status Sync_Status_time    Status  Status_time
cn1             10/13/2016 16:02        10/13/2016 16:02
cn1         Standalone  10/13/2016 16:02    Standalone  10/13/2016 16:02
sg1         All devices in the device group are in sync 10/13/2016 16:02    All devices in the device group are in sync 10/13/2016 16:02
sg1         In Sync 10/13/2016 16:02    In Sync 10/13/2016 16:02
gb1         All devices in the device group are in sync 10/13/2016 16:02    All devices in the device group are in sync 10/13/2016 16:02
gb1         In Sync 10/13/2016 16:02    In Sync 10/13/2016 16:02
in1             10/13/2016 16:02        10/13/2016 16:02
in1         Standalone  10/13/2016 16:02    Standalone  10/13/2016 16:02
sg2         All devices in the device group are in sync 10/13/2016 16:02    All devices in the device group are in sync 10/13/2016 16:02
sg2         In Sync 10/13/2016 16:02    In Sync 10/13/2016 16:02
jp1             10/13/2016 16:02        10/13/2016 16:02
jp1         Standalone  10/13/2016 16:02    Standalone  10/13/2016 16:02
cn1 active  10/13/2016 16:02    1/1 active  10/13/2016 16:02    1/1 active  10/13/2016 16:02
sg1 standby 10/13/2016 16:02    1/1 standby 10/13/2016 16:02    1/1 standby 10/13/2016 16:02
gb2         All devices in the device group are in sync 10/13/2016 16:02    All devices in the device group are in sync 10/13/2016 16:02
gb2         In Sync 10/13/2016 16:02    In Sync 10/13/2016 16:02
gb1 standby 10/13/2016 16:02    1/1 standby 10/13/2016 16:02    1/1 standby 10/13/2016 16:02
xx1         All devices in the device group are in sync 10/13/2016 16:02    All devices in the device group are in sync 10/13/2016 16:02
xx1         In Sync 10/13/2016 16:02    In Sync 10/13/2016 16:02
xx1 active  10/13/2016 16:02    1/1 active  10/13/2016 16:02    1/1 active  10/13/2016 16:02

Thanks for your reply, Sundareshr.

I tried your code and it gave me an "Error in 'eval' command: The arguments to the 'if' function are invalid."

I also added in the rex for Sync_Status since it was missing but still got the same error.

index=team_f5_metrics (F5-BIGIP-SYSTEM-MIB::sysCmFailoverStatusSummary.0 OR F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 OR F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusStatus.0) 
 | rex "1/1 (?<Failover>.*)$" 
 | rex "STRING: (?<Status>.*)$" 
 | rex "STRING: (?<Sync_Status>.*)$"
 | eval Sync_Status=if("F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0", Status, null())
 | eval Status=if("F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0", null(), Status)
 | stats latest(Failover) as Failover latest(Status) as Status latest(Sync_Status) as SyncStatus latest(_time) as TIME by host 
 | convert ctime(TIME)
 | table host TIME Failover Status SyncStatus

I haven't dealt with eval and if statements yet. Do you see where there error is?

Looks like my comment didn't post from yesterday. I just wanted to say this latest one will work (Thank You!) but I'd still be interested in seeing if the other will also work without the heavy lockdown. This answer deserves credit none-the-less. I'm getting a lot of understanding from this example.

Hi @jambraun - Glad to hear that you got some good answers from to your question. If one of them has helped to resolve your issue, please don't forget to click "Accept" below the best answer and upvote anything that was helpful. Thanks!

Sorry for not making notes sooner. I was traveling and just got back to this.

Looks like this latest one will work if I know the string responses before hand (and hopefully don't overlap). I'm learning a lot from this, so thank you! I'm still looking at that first one posted to see how it will work but this deserves credit.

Try the updated one. Since the regex for Status and Sync_Status are identical, you don't need the rex for Sync_Status

That works much better, thanks!
the Status and sync_status aren't the same data so it needs to be played with a bit.

I'm getting some bleed-over from Failover in to Status. The only text should be either 'In Sync' or 'Standalone':

HOST TIME FAILOVER STATUS SYNCSTATUS
cn1 09/29/2016 23:04:02 active 1/1 active

gbs1 09/29/2016 23:04:02 active 1/1 active All devices in the device group are in sync

gbs2 09/29/2016 23:03:02 standby In Sync All devices in the device group are in sync

in1 09/29/2016 23:04:02 active 1/1 active

jp1 09/29/2016 23:03:03 active Standalone

sg1 09/29/2016 23:04:02 active 1/1 active All devices in the device group are in sync

sg2 09/29/2016 23:03:02 standby In Sync All devices in the device group are in sync

us1 09/29/2016 23:04:03 active 1/1 active All devices in the device group are in sync

us2 09/29/2016 23:04:02 standby 1/1 standby All devices in the device group are in sync

us3 09/29/2016 23:04:02 active 1/1 active

xx1 09/29/2016 23:03:02 active In Sync All devices in the device group are in sync

xx2 09/29/2016 23:03:02 standby In Sync All devices in the device group are in sync

Try now with updated regex

Also I'm doing some fooling with it, try this.

index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmFailoverStatusSummary.0 
| rex "1/1 (?<Failover>.*)$" 
| stats latest(Failover) as Failover latest(_time) as TIME by host 
| eval output="Failover event " . Failover . " happened at " . TIME 
| table host TIME output 
| append 
    [ search index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 
    | rex "STRING: (?<Sync_Status>.*)$" 
    | stats latest(Sync_Status) as Sync_Status latest(_time) as TIME by host 
    | eval output="Sync Status event " . Sync_Status . " happened at " . TIME 
    | table host TIME output 
| append 
    [ search index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusStatus.0 
    | rex "STRING: (?<Status>.*)$" 
    | stats latest(Status) as Status latest(_time) as TIME by host 
    | eval output="Sync Status event " . Sync_Status . " happened at " . TIME 
    | table host TIME output ] 
| convert ctime(TIME) | rename output AS "Status Event"

There's a lot of tomfoolery in there that I can't validate (hence why I'm calling it tomfoolery), but it might work or be trivially fixable. I'd still like a clearer picture of the events you have and the sort of output you are looking for, but this might do it.

Sorry, I was trying to delete my own comment, but deleted the thread of them down here. Fortunately, it didn't really matter.

In reading my above (Which may work fine even if oddly formatted - we can fix that if it's OK otherwise!), and in reading the below, I think it may be very beneficial to both sundareshr and I if you could post a few of the actual events you are basing this on. Preferably a couple of events of each "type" that you describe above. Sanitize them if you need to, of course. 🙂