@RedMug  Kindly follow this documentation and try to install the app from the CLI.  Install Splunk IT Essentials Work on a single on-premises instance - Splunk Documentation  Troubleshooting compatibility issues between components or apps in Splunk Enterprise - Splunk Lantern  

@gcusello  Please find the exact query. index="Test" applicationName="sapi" timestamp log.map.correlationId level message ("Ondemand Started*" OR "Process star | rex field-message max_match=0 "\"Ondemand Started for. filename: (?<OnDemandFileName> [^\n]\w+\S+)" | rex field-message max_match=0 "Process started for (?<FileName>[^\n]+)" |eval OnDemandFileName=rtrim(OnDemandFileName, "Job") |eval "FileName/JobName"= coalesce (OnDemandFileName, FileName) | rename timestamp as Timestamp log.map.correlationId as CorrelationId level as Level message as Message |eval JobType=case (like( 'Message', "%Ondemand Started%"), "OnDemand", like('Message", "Process started%"), "Scheduled", true (), "Unknown") |eval Message=trim(Message, "\"") |table Timestamp CorrelationId Level JobType "FileName/JobName" Message join CorrelationId type=left [search index="Test" applicationName="sapi" level=ERROR | rename log.map.correlationId as CorrelationId level as Level message as Messagel | dedup CorrelationId | table CorrelationId Level Messagel] | table Timestamp CorrelationId Level JobType "FileName/JobName" Messagell join CorrelationId type=left [ search index="Test" applicationName="sapi" message="*file archived successfully *" | rex field-message max_match=0 "\"Concur file archived successfully for file name: (?<Archived FileName>[^\n]\w+\S+)" |eval Archived FileName=rtrim(Archived FileName,"\"") | rename log.map.correlationId as CorrelationId | table CorrelationId ArchivedFileName] | table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName Messagel join CorrelationId type=left [ search index="Test" applicationName="sapi" (log.map.processor Path=ExpenseExtractProcessingtoOraclex AND (" Import*" OR "APL Import*")) | rename timestamp as Timestamp1 log.map.correlationId as CorrelationId level as Level message as Message | eval Status-case (like('Message", "%GL Import flow%"), "SUCCESS", like('Message", "%APL Import flow%"), "SUCCESS", like('Level', "%Exception%"), "ERROR") | rename Message as Response | table Timestamp1 CorrelationId Status Response] | eval Status=if (Level="ERROR", "ERROR", Status) | eval StartTime=round(strptime(Timestamp, "%Y-%m-%dT%H:%M: %S.%QZ")) | eval EndTime=round(strptime (Timestamp1, "%Y-%m-%dT%H:%M: %S.%QZ")) | eval Elapsed TimeInSecs-EndTime-StartTime | eval. "Total Elapsed Time"=strftime (Elapsed TimeInSecs, "%H:%M:%S") | eval Response= coalesce (Response, Message1)|table Status CorrelationId ArchivedFileName] | table Timestamp CorrelationId Level JobType "FileName/JobName" ArchivedFileName |search Status=* |stats count by JobType

I was a bit too quick in accepting your Answer as Solution. Now it seems that the search is looking just for the first ClientName in the lookup file and ignoring all the rest. If I put the ClientName that I am sure will be in the event log as first entry it works. When I put the ClientName as 3rd or 4th Entry in the Column it doesnt find the event.