https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/587978#M204777 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242136">@Bala</a>,</P><P>when you say "filter" are you meaning at search time or before indexing?</P><P>if at search time, you can insert the condition in the main search:</P><LI-CODE lang="markup">index=your_index ("ABCDEFG :::{\"status\":400" OR "ABCDEFG :::{\"status\":500") | ...</LI-CODE><P>if before indexing, you have to follow the documentation at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P><P>Ciao.</P><P>Giuseppe</P> Tue, 08 Mar 2022 09:12:03 GMT gcusello 2022-03-08T09:12:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/587977#M204776 <P>Hi Team i have a log message and i want to filter the all log messages which contains the below <STRONG>highlighted</STRONG> text. and if the status value is other than 200 status!=200 separate that messages</P> <P>{"timestamp":"2022-03-04T11:04:41.143Z","message":"<STRONG>ABCDEFG :::{\"status\":200</STRONG>,\"headers\":</P> <P>{"timestamp":"2022-03-05T11:02:41.143Z","message":"<STRONG>ABCDEFG :::{\"status\":400</STRONG>,\"headers\":</P> <P>{"timestamp":"2022-03-02T11:05:41.143Z","message":"<STRONG>ABCDEFG :::{\"status\":500</STRONG>,\"headers\":</P> Tue, 08 Mar 2022 17:52:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/587977#M204776 Bala 2022-03-08T17:52:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/587978#M204777 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242136">@Bala</a>,</P><P>when you say "filter" are you meaning at search time or before indexing?</P><P>if at search time, you can insert the condition in the main search:</P><LI-CODE lang="markup">index=your_index ("ABCDEFG :::{\"status\":400" OR "ABCDEFG :::{\"status\":500") | ...</LI-CODE><P>if before indexing, you have to follow the documentation at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P><P>Ciao.</P><P>Giuseppe</P> Tue, 08 Mar 2022 09:12:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/587978#M204777 gcusello 2022-03-08T09:12:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/588246#M204860 <P>its not working</P><P>Log&nbsp; &nbsp;"message":"ABCDEFG :::{\"status\":200,\"headers\":</P><P><SPAN>| rex field=message "ABCDEFG</SPAN>\s...{."status.":"(?&lt;status&gt;\d+) | table status</P><P>am able to see the correct events but not able to see the values 200 in table&nbsp;</P><P>correct me if am missing anything</P> Wed, 09 Mar 2022 14:56:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/588246#M204860 Bala 2022-03-09T14:56:07Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/588266#M204870 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242136">@Bala</a>,</P><P>let me understand, is your problem extracting the status field from your logs or what else?</P><P>if you want to extractthe status field, you can use a regex, but before a question: are you sure that in your logs there is a backslash "\" before quotes?</P><P>if yes, you can use the following regex:</P><LI-CODE lang="markup">| rex field=message "status\\\":(?&lt;status&gt;\d+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/cDYieK/1" target="_blank">https://regex101.com/r/cDYieK/1</A></P><P>if not, you can use the following regex:</P><LI-CODE lang="markup">| rex field=message "status\":(?&lt;status&gt;\d+)"</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Wed, 09 Mar 2022 16:15:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-output-of-particular-text-from-the-log-message/m-p/588266#M204870 gcusello 2022-03-09T16:15:34Z