Here's an alternative method using rex.

For testing purposes let's associate events from metrics.log in clumps of 4 with :

index=_internal source=*metrics.log | transaction maxevents=4 source

This yields transaction meta-events that look like this :

12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=queue, name=tcpin_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=queue, name=typingqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=58, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=realtime_search_data, system total, drop_count=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0

To get the original _raw field back (and therefore, display the original events) I use rex with a "delimiter" regex matching the date at the beginning of my event, and then all characters until a CLRF. This creates one multi-value field per transaction containing the pre-transaction values of _raw, which we can then expand back to a single-value field with mvexpand:

index=_internal source=*metrics.log | transaction maxevents=4 source | eval transaction_raw=_raw | rex max_match=1000 "(?msi)^(?[01]\d-[0-3]\d-2011\s[^\r\n]*?)$" | mvexpand raw | eval _raw=raw

Remarks :

• For the delimiter regex to work, you need to specify max_match with a value equal to or higher than the maximum number of events you expect in your transaction.
• The regex will need to be reworked if your original events span multiple lines.
• A transition field (here raw) is necessary. You cannot restore _raw directly unto itself.
• We conserved the transaction's own _raw in transaction_raw which allows to still report on the transaction results. The transaction special fields are also conserved.