I am currently experimenting with the nmap scan output format and indexing the scan results with splunk.
I noticed that I got a lot of lines containing "Nmap scan report for 184.108.40.206 [host down]" which means that the line does not contain any useful information for me. I would like to skip all lines containing "host down".
Is there a hack to achieve this?
asked 10 Feb '12, 02:36
There is specific functionality for filtering incoming logs, so I wouldn't consider it a "hack" :)
Have a look at the following docs page that explains how to achieve this: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues
answered 10 Feb '12, 02:48