Hi I tried modifying the search string as you suggested.

However this search string:

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

Is just to verify that the event I want in my list is actually their. The original search string also return the event:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package

The goal is to have a search string that looks like this:

index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

and that will return a list with all the events with this data in it :

EVENT1
12:51:35|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=406745
... 81 lines omitted ...
source = H:\hudson\jobs\INET-SANDBOX-SERVLETETICKET-AskDeploySwitch\builds\2016-09-06_12-4

EVENT2
12:13:47|INFO|bitvise.py|408| [b00011103134.res.bec.dk] 12:13:47|INFO|install_profile.py|860| DEPLOYMENT OF rma_test was FINISHED! 12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156
source = H:\hudson\jobs\SWIFT-TEST-RMA-AskProfileDeploySwitch\builds\2016-09-06_12-02-46\log

As I can see it the only difference between these two events is the source information. But do not want to use that either

So in short the search string : index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

Need to return EVENT1 & EVENT2 but currently only EVENT1 is in my result

Your search terms are implicitly combined using a boolean AND operation. Any events that do not have a method field will consequentially not qualify for your result set.
In other words: You are explicitly looking for method=execute_package but that key/value pair is not present in the log event you have listed as not showing up. So, the results are as expected.

Hi your right the text I posted did not contain the information. I think there was a copy/paste issue.

Because the event I expect to have on my list has this data:

12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156

And the method field is in the text. But it just not in my result set.

And the text from a event that IS shown

12:54:03|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=1024765

My timerange of my serach it only 1 hour on a specific date so I know that the event I except is there

I can get the event in my result by writing :

index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

But I need the search string to look something like this:

index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")

This text: SWIFT-TEST-RMA-AskProfileDeploySwitch is different for most events