Solved: Filter events with specific text - Splunk Community

Splunk Search

I've already indexed a bunch of syslog data. However, when I search I'd like to be able to filter out certain events that have the same text in them. How can I do this? For example I want to filter out "Failed to ready header on stream TCP" from my search results (see example text below). Thanks!

Example:

Aug 1 10:17:56 10.112.101.103 Aug 1 14:17:57 Hostd: [2011-08-01 14:17:57.724 54B16B90 error 'App'] Failed to read header on stream TCP(local=127.0.0.1:62968, peer=127.0.0.1:0): N7Vmacore15SystemExceptionE(Connection reset by peer)

1 Solution

Solution

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

View solution in original post

Solution

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...