Archive

Need to add _raw content into "Log Event"

fshimaya
Engager

My Splunk alerts use the "Log Event" actions. How do I add the contents of _raw into the "Event" field? I tried $result._raw$ but that doesn't appear to be working. Log Event

Having the result content would be really helpful in the Log Event.

0 Karma

sgontla_splunk
Splunk Employee
Splunk Employee

not sure if you are looking something like " | eval rawevent=_raw"?

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!