How to see _raw logs in the dashboard?

debdutsaini · ‎07-30-2025

I am trying to display raw logs in a dashboard but it removing the raw logs. Is there a way to display it? In standard search, it is showing the raw logs but not in dashboard.

Sample Query:

index=*
| eval device = coalesce(  dvc, device_name)
| eval is_valid_str=if(match(device, "^[a-zA-Z0-9_\-.,$]*$"), "true", "false")
| where is_valid_str="false"
| stats count by device, index, _raw

thahir · ‎07-30-2025

HI @debdutsaini ,

replace stats with table in the last line of your query like below

index=*
| eval device = coalesce(dvc, device_name)
| eval is_valid_str=if(match(device, "^[a-zA-Z0-9_\-.,$]*$"), "true", "false")
| where is_valid_str="false"
| table _time index device _raw

PrewinThomas · ‎07-30-2025

@debdutsaini

If it's in Dashboard studio,

You need to enable _internal fields to show the same in the dashboard.

Edit -> Data Display-> Select Internal fields

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

How to see _raw logs in the dashboard?

Dashboard Studio

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to see _raw logs in the dashboard?

Dashboard Studio

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?