My Splunk alerts use the "Log Event" actions. How do I add the contents of _raw into the "Event" field? I tried $result._raw$ but that doesn't appear to be working.
Having the result content would be really helpful in the Log Event.
not sure if you are looking something like " | eval rawevent=_raw"?