I want to have both the first() of the _raw message and the same message without the time information I have regex that removes the time information from _raw right now but I lose it for good when I want to still have it as a different field
search terms | eval TimeInHour=_time%3600 | rex mode=sed "s/ \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}//g" | stats first(_raw) by punct,TimeInHour,_raw,_time | stats count by _raw,TimeInHour,punct | addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) | where count > hours-1
So what I want would look like
_raw new_raw
2013-08-12 16:32:58 ib0: tx_head 409, tx_tail 281 ib0: tx_head 409, tx_tail 281
2013-08-12 16:32:58 ib0: latency 27472681 msecs ib0: latency 27472681 msecs
2013-08-12 16:32:58 ib0: tx_head 555, tx_tail 427 ib0: tx_head 555, tx_tail 427
<ConMan> Console [aztec38] log at 2013-08-12 00:00:00 PDT. <ConMan> Console [aztec38] log at PDT.
P.S. if anyone thinks of a better title I'm open to suggestions ;)