Team, When I search for particular sourcetype, source and index I want to have one interesting field may be called as msg and value should be whole _raw message. How can I achieve this via configuration? Please help.
Add or modify the props.conf stanza for your sourcetype like this:
[yoursourcetype] EXTRACT-complete-raw = ^(?P<msg>.*)$
This will add a field msg during search time containing the whole event text.
msg
View solution in original post
