One option is to prepend the original fields before sending to the summary index... | foreach _* * [| eval orig_<<MATCHSTR>>=<<FIELD>>] (You may want to only prepend the fields you actually need, and which get overwritten, e.g. host, source, sourcetype, instead of _* * ) ... View more

Just want to add, if your timestamp included milliseconds, you can use: | rex field=diff "(?\d+):(?\d+):(?\d+).(?\d+)" | eval dur = (HH * 3600) + (MM * 60) + SS + (MS / 1000000) my timestamp had 6 decimal places for ms, so I divide ms by 1,000,000 ... View more