Solved: Filter events with specific text

procha · ‎08-01-2011

I've already indexed a bunch of syslog data. However, when I search I'd like to be able to filter out certain events that have the same text in them. How can I do this? For example I want to filter out "Failed to ready header on stream TCP" from my search results (see example text below). Thanks!

Example:

Aug 1 10:17:56 10.112.101.103 Aug 1 14:17:57 Hostd: [2011-08-01 14:17:57.724 54B16B90 error 'App'] Failed to read header on stream TCP(local=127.0.0.1:62968, peer=127.0.0.1:0): N7Vmacore15SystemExceptionE(Connection reset by peer)

RicoSuave · ‎08-01-2011

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

View solution in original post

RicoSuave · ‎08-01-2011

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

Filter events with specific text

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation