StatusMsg is the field (on the fly field) that I want to be populated by the message so I'm not certain what you mean by 

<<some expression>>

So that was why I thought maybe this would be an if then type of query.  If StatusMsg="some value" then put that in the table along with the other data.  If not, then go to the next status message.  So I would want:

Action                                                  Host           ConnName

"Task through an uncaught..."     lx.......           CCNBU----

So should this be an if then search?

The StatusMsg field is being created on the fly, but it has to come from *somewhere*.  The OP has a list of possible messages, but there is no indication of when each is used.

<<some expression>> refers to a Boolean check that decides when to set StatusMsg to a specific string.  The expression probably will need to test the values of other fields (perhaps Host and/or ConnName).  You know your data better than I do so I can't be more detailed than that.

So I have been trying to use if statements, but I don't seem to be getting the if statement correct:

index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN Action="restart failed" OR Action="disconnected" OR Action="Task threw an uncaught an unrecoverable exception"
| eval if(Action="restart failed", "restart failed", "OK", Action="disconnected","disconnected","OK", Action="Task threw an uncaught an unrecoverable exception", "ok")
| table Action host connName

I've tried several different formats for the if, but it keeps telling me the if statements are wrong.  What am I not seeing here?

If this is your literal search, you're not assigning a field correctly with eval.

The eval command must have a destination field name. The if  and case commands just return a value. You have to assign this value somewhere.

And you're using if with case syntax.

Can you provide a sample?

The if function works like a ternary ? : operator in C. So the proper syntax for setting a field conditionally is like this:

| eval field=if(something="something","value_when_true","value_when_false")

I think I'm close, but the error_msg does not display:

index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN
| eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector")
| dedup host
| table host connName error_msg

Get rid of that dedup host.  You will see some events with error_msg, some without.  I cannot decipher what that dedup is supposed to accomplish, or what real problem you are trying to solve.  So, I cannot suggest an alternative.  But if you have that dedup and if for each host the last event is NOT a failure or disconnect, you will get no error_msg.  Maybe you mean this?

index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN
| eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector")
| search error_msg = *
| dedup host
| table host connName error_msg

Was able to get it working this way.  

index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR!=INFO _raw=*
| eval error_msg = case(match(_raw, "Disconnected"), "disconected",
match(_raw, "restart failed"), "restart failed",
match(_raw, "Failed to start connector"), "failed to start connector")
| search error_msg=*
| dedup connName
| table host connName error_msg ERROR

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.