My answer at Is it possible to split discovery message field? applies to this question too. The best way to do this would be with a pre-processor like logstash, which would split out the parts of that message and store them in elasticsearch as different fields. If that isn't an option, or you just want something to work in the short term you can use a scripted field to extract just the part of the text that you want.