Splunk_Deploiement/apps/TA-socradar-incidents/default/data/ui/views/incident_logs.xml

<form version="1.1">
  <label>SOCRadar Incidents Logs</label>
  <description>Raw logs from the SOCRadar incidents collector</description>

  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="log_time">
      <label>Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

  <!-- Raw Logs -->
  <row>
    <panel>
      <event>
        <title>Raw Collector Logs</title>
        <search>
          <query>
index=_internal source="*ta_socradar_incidents_socradar_incidents_collector.log*"
| sort - _time
          </query>
          <earliest>$log_time.earliest$</earliest>
          <latest>$log_time.latest$</latest>
          <refresh>30s</refresh>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="type">raw</option>
      </event>
    </panel>
  </row>
</form>