I have query which goes like this
sourcetype="A" host=B
|rex "^(?:[^ \n]* ){2}(?P<user>\w+)"|rex "^(?:[^ \n]* ){10}(?P<resp_time>\d+)"|rex "^[^ \n]* (?P<txn_id>[^ ]+)"
|fields user,resp_time,txn_id
| sort -resp_time
I want to be able to see the latest _raw event (i.e. the one with maximum resp_time)
Again, I don't want to see the table. I want to see the actual _raw event
Hi @zacksoft,
Just add _raw
to your field list or just include |fields resp_time,_raw|sort -resp_time