Hi this is interesting question and the real answer will be quite long 😞 So you'll have to settle for a short answer. Shortly _raw is just an another field just like any other as host, source, sourcetype, index, name etc. Then only difference is that it contains all data what particular event have. Of course there are some other fields (like index, sourcetype etc.) which are not part of _raw even those are part of event's metadata. When you are searching  index=main _raw=syswow64 splunk's search engine try to found events which _raw (whole event) is only "syswow64". When you are searching like index=main _raw=*syswow64*  then splunk is searching events which contains syswow64 and can have something else or not. This is equal to  your search  index=main syswow64  I couldn't see any reason why you want to use _raw=something when you are doing your searches! Here is some documents which could open this somehow? https://conf.splunk.com/files/2016/slides/behind-the-magnifying-glass-how-search-works.pdf https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Startsearching https://conf.splunk.com/watch/conf-online.html?search=Martin%20M%C3%BCller (Speaker Martin Müller and/or Clara Merriman) https://conf.splunk.com/watch/conf-online.html?search=Master%20joinin%20datasets (speaker Nick Mealy) r. Ismo ... View more