Hi manjunathmeti,

Thank you for your response..!!

The query is working only for ENV_NAME=ABCEnvironment_MY. While for other environments such as ABCEnvironment_SG,ABCEnvironment_CN,ABCEnvironment_AU etc it shows as no results found.

Please suggest on this..

Thank you.

Remove | search ENV_NAME="ABCEnvironment_MY" from search query see ifENV_NAME contains other values.

Yes manjunathmeti,

After removing | search ENV_NAME= ABCEnvironment_MY, I can see the values in ENV_NAME field.

Please suggest.

It is working with the sample data you provided, check this query:

| makeresults 
| eval _raw="_raw
Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : abcd Host Status : Running App Id :3403927 Label Name : com.abc.mx.xyz Synchronization : In Sync State : Running Number of template version : 48
Tue Feb 2 19:07:26 EST 2021 Host Id :19804 Host Name : wxyz Host Status : Running App Id :27736 Label Name : com.abcde.abcdefgh Synchronization : Out of Sync State : Running Number of template version : 1
2021-02-03 02:12:49.896, APP_NAME=\"com.abc.mx.xyz\", APP_TEMP_NAME=\"com.abc.mx.xyz-1\", APP_TEMP_VER=\"1.1.5\", LASTDEPLOYED=\"2019-09-24 13:38:05.047\", ENV_NAME=\"ABCEnvironment_MY\"
2021-02-03 02:12:49.896, APP_NAME=\"com.abcde.abcdefgh\", APP_TEMP_NAME=\"com.abcde.abcdefgh\", APP_TEMP_VER=\"3.1.0.20201126030342320\", LASTDEPLOYED=\"2020-11-27 13:01:49.959\", ENV_NAME=\"ABCEnvironment_AU\"" 
| multikv forceheader=1 
| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)" 
| fields App_Name, Sync_State, Last_Deployed, Temp_Version, ENV_NAME
| stats latest(*) as * by App_Name 
| search ENV_NAME="ABCEnvironment_AU"
| table App_Name, Sync_State,Last_Deployed, Temp_Version, ENV_NAME

Hi manjunathmeti,

The query works fine for the sample logs that I provided. However I will be having thousands of such logs and it's not possible to add all those logs in the search query with eval command.

Please help me in creating the query to meet my expectations.

Thank you.

NOTE: We have about 7 to 10 application in each environment. We are trying to create a table of the logs from the two hosts which will contain the App_Name,Sync_State,Last_Deployed and Temp_Version for each environment.

Then, the below query should work for you:

| rex field=_raw "(?ms)Host\s+Name\s:\s(?<Host_Name>\w+)"
| rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)"
| rex field=_raw "(?ms)APP_NAME=\"(?P<App_Name>[^\"]+)"
| rex field=_raw "(?ms)Synchronization\s:\s(?<Sync_State>[\w\s]+Sync)\sState"
| rex field=_raw "(?ms)LASTDEPLOYED=\"(?P<Last_Deployed>[^\"]+)"
| rex field=_raw "(?ms)APP_TEMP_VER=\"(?P<Temp_Version>[^\"]+)"
| rex field=_raw "(?ms)ENV_NAME=\"(?P<ENV_NAME>[^\"]+)" 
| fields App_Name, Sync_State, Last_Deployed, Temp_Version, ENV_NAME
| stats values(*) as * by App_Name

Thanks manjunathmeti..!!

But this query didn't work either. I am not getting the output as desired. 

Any other modification would be appreciated..!!