https://community.splunk.com/t5/Splunk-Search/Filter-events-with-specific-text/m-p/51107#M12298 <P>add the following to your search:</P> <P>NOT "Failed to ready header on stream TCP"</P> <P>Or if that message is already being extracted in a field, </P> <P>NOT myfield="Failed to ready header on stream TCP"</P> Mon, 01 Aug 2011 14:57:59 GMT RicoSuave 2011-08-01T14:57:59Z https://community.splunk.com/t5/Splunk-Search/Filter-events-with-specific-text/m-p/51106#M12297 <P>I've already indexed a bunch of syslog data. However, when I search I'd like to be able to filter out certain events that have the same text in them. How can I do this? For example I want to filter out "Failed to ready header on stream TCP" from my search results (see example text below). Thanks!</P> <P>Example:</P> <P>Aug 1 10:17:56 10.112.101.103 Aug 1 14:17:57 Hostd: [2011-08-01 14:17:57.724 54B16B90 error 'App'] Failed to read header on stream TCP(local=127.0.0.1:62968, peer=127.0.0.1:0): N7Vmacore15SystemExceptionE(Connection reset by peer)</P> Mon, 01 Aug 2011 14:22:33 GMT https://community.splunk.com/t5/Splunk-Search/Filter-events-with-specific-text/m-p/51106#M12297 procha 2011-08-01T14:22:33Z https://community.splunk.com/t5/Splunk-Search/Filter-events-with-specific-text/m-p/51107#M12298 <P>add the following to your search:</P> <P>NOT "Failed to ready header on stream TCP"</P> <P>Or if that message is already being extracted in a field, </P> <P>NOT myfield="Failed to ready header on stream TCP"</P> Mon, 01 Aug 2011 14:57:59 GMT https://community.splunk.com/t5/Splunk-Search/Filter-events-with-specific-text/m-p/51107#M12298 RicoSuave 2011-08-01T14:57:59Z