Solved: Filter events with specific text - Splunk Community

Splunk Search

I've already indexed a bunch of syslog data. However, when I search I'd like to be able to filter out certain events that have the same text in them. How can I do this? For example I want to filter out "Failed to ready header on stream TCP" from my search results (see example text below). Thanks!

Example:

Aug 1 10:17:56 10.112.101.103 Aug 1 14:17:57 Hostd: [2011-08-01 14:17:57.724 54B16B90 error 'App'] Failed to read header on stream TCP(local=127.0.0.1:62968, peer=127.0.0.1:0): N7Vmacore15SystemExceptionE(Connection reset by peer)

1 Solution

Solution

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

View solution in original post

Solution

add the following to your search:

NOT "Failed to ready header on stream TCP"

Or if that message is already being extracted in a field,

NOT myfield="Failed to ready header on stream TCP"

Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...