Dashboards & Visualizations

How to see _raw logs in the dashboard?

debdutsaini
New Member

I am trying to display raw logs in a dashboard but it removing the raw logs. Is there a way to display it? In standard search, it is showing the raw logs but not in dashboard.

Sample Query:

index=*
| eval device = coalesce(  dvc, device_name)
| eval is_valid_str=if(match(device, "^[a-zA-Z0-9_\-.,$]*$"), "true", "false")
| where is_valid_str="false"
| stats count by device, index, _raw

 

Labels (1)
0 Karma

thahir
Communicator

HI @debdutsaini ,

replace stats with table in the last line of your query like below

index=*
| eval device = coalesce(dvc, device_name)
| eval is_valid_str=if(match(device, "^[a-zA-Z0-9_\-.,$]*$"), "true", "false")
| where is_valid_str="false"
| table _time index device _raw

0 Karma

PrewinThomas
Builder

@debdutsaini 

If it's in Dashboard studio,

You need to enable _internal fields to show the same in the dashboard.


Edit -> Data Display-> Select Internal fields

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...