topic Re: Is it possible to display all _raw events from one source in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370122#M175050 <P>Thanks for this...</P> Wed, 22 Mar 2017 20:19:31 GMT robertlynch2020 2017-03-22T20:19:31Z Is it possible to display all _raw events from one source https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370118#M175046 <P>I have a file call /net/dell569srv/dell569srv2/apps/qa10157_TPK0002437_24367887/TestRunner/logs/20170321-184649.17336.50.cmd.51.archive-and-report.sh.log</P> <P>In this there are many events in this file, however i want to display all of them in a cell, is it possible to merge them?<BR /> I want all _raw events in one cell and to dedup the source.</P> <P><IMG src="https://community.splunk.com/storage/temp/190188-2017-03-22-151241.png" alt="alt text" /></P> Tue, 29 Sep 2020 13:19:40 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370118#M175046 robertlynch2020 2020-09-29T13:19:40Z Re: Is it possible to display all _raw events from one source https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370119#M175047 <P>Try like this</P> <PRE><CODE>index=mlc_live host=TimeSeries sourcetye="TestRunner_logs" | stats list(_raw) as RawData by source </CODE></PRE> Wed, 22 Mar 2017 15:17:25 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370119#M175047 somesoni2 2017-03-22T15:17:25Z Re: Is it possible to display all _raw events from one source https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370120#M175048 <P>Like this:</P> <PRE><CODE> index=mlc_live host=TimeSeries sourcetye="TestRunner_logs" | stats list(_raw) BY source </CODE></PRE> <P>Be aware that the <CODE>stats</CODE> commands (e.g. <CODE>list</CODE>) are limited to 1000 values inside a multi-value field so if you have more than 1000 events, you will only see the latest 1000 of them.</P> Wed, 22 Mar 2017 19:02:14 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370120#M175048 woodcock 2017-03-22T19:02:14Z Re: Is it possible to display all _raw events from one source https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370121#M175049 <P>This worked cheers.</P> Wed, 22 Mar 2017 20:18:06 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370121#M175049 robertlynch2020 2017-03-22T20:18:06Z Re: Is it possible to display all _raw events from one source https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370122#M175050 <P>Thanks for this...</P> Wed, 22 Mar 2017 20:19:31 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-display-all-raw-events-from-one-source/m-p/370122#M175050 robertlynch2020 2017-03-22T20:19:31Z