Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fetch the latest _raw event

zacksoft
Contributor
‎07-03-2018 04:55 AM

I have query which goes like this 

   sourcetype="A" host=B 
      |rex "^(?:[^ \n]* ){2}(?P<user>\w+)"|rex "^(?:[^ \n]* ){10}(?P<resp_time>\d+)"|rex "^[^ \n]* (?P<txn_id>[^ ]+)"
     |fields user,resp_time,txn_id 
     | sort -resp_time

I want to be able to see the latest _raw event (i.e. the one with maximum resp_time)
Again, I don't want to see the table. I want to see the actual _raw event

Tags (1)
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎07-03-2018 05:11 AM

Hi @zacksoft,

Just add _raw to your field list or just include |fields resp_time,_raw|sort -resp_time

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...