https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681396#M232843 <P>I understand. Still, trying to run the search it returns no result...</P> <LI-CODE lang="markup">index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard"" | rex field=_raw "Message received:\s\{(?P&lt;check&gt;.*?)\,\"previous" | where like(check,"%assetcard%")</LI-CODE> Wed, 20 Mar 2024 16:47:46 GMT frodelauka 2024-03-20T16:47:46Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681374#M232832 <P>I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both results (<STRONG>same phrase marked in bold</STRONG>) -&gt;</P><P><STRONG>Search:</STRONG></P><P>index=example host=example message_name=* AND profileId="xxxx-xxxxx-xxxxx" AND "deviceClass":"example" AND <FONT color="#008000">"Message received: {<STRONG>"name":"screenView","screenName":"assetcard</STRONG>""</FONT></P><P><STRONG>Result1:</STRONG></P><P>MessageReceiver:96 - <FONT color="#008000">Message received: {"<STRONG>name":"screenView","screenName":"assetcard</STRONG></FONT><STRONG>"</STRONG>,"previous":{"name":"screenView","screenName":"homeScreen","subscreenName":"STB.TOP.HOME"</P><P><STRONG>Result2:</STRONG></P><P>MessageReceiver:96 - Message received: {"name":"screenView","screenName":"homeScreen","previous":{<FONT color="#FF0000">"name":"screenView","screenName":"assetcard"</FONT></P> Wed, 20 Mar 2024 12:32:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681374#M232832 frodelauka 2024-03-20T12:32:08Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681384#M232836 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265955">@frodelauka</a>&nbsp;<BR /><BR />One way to do it based on the events you shared is as below.<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\"" | makemv log delim="\r\n" | mvexpand log | eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{","")) | where like(check_msg_rxd,"%assetcard")</LI-CODE><P>&nbsp;</P><P>If the reply helps, a Karma upvote would be appreciated.</P> Wed, 20 Mar 2024 13:02:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681384#M232836 Gr0und_Z3r0 2024-03-20T13:02:28Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681388#M232838 <P>I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire search look like?</P> Wed, 20 Mar 2024 13:27:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681388#M232838 frodelauka 2024-03-20T13:27:17Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681389#M232839 <P>Simplifying the way to approach it with a regex...<BR /><BR /></P> <LI-CODE lang="markup">| rex field=_raw "Message received:\s\{(?P&lt;check&gt;.*?)\,\"previous" | where like(check,"%assetcard%")</LI-CODE> <P><BR /><BR />The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria.</P> Wed, 20 Mar 2024 16:47:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681389#M232839 Gr0und_Z3r0 2024-03-20T16:47:23Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681396#M232843 <P>I understand. Still, trying to run the search it returns no result...</P> <LI-CODE lang="markup">index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard"" | rex field=_raw "Message received:\s\{(?P&lt;check&gt;.*?)\,\"previous" | where like(check,"%assetcard%")</LI-CODE> Wed, 20 Mar 2024 16:47:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-a-specific-phrase-in-a-Splunk-search/m-p/681396#M232843 frodelauka 2024-03-20T16:47:46Z