The command you're looking for is eval. index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN
| eval StatusMsg = case(<<some expression>>, "Task threw an uncaught and unrecoverable exception",
<<some other expression>>, "Ignoring await stop request for non-present connector",
...,
<<a different expression>>, "Connection refused",
1==1, "Unknown")
| table host connName StatusMsg The trick is in selecting the appropriate status message. You'll need to key off some field(s) in the results.
... View more