Refine your search:

Skip lines while indexing

0

I am currently experimenting with the nmap scan output format and indexing the scan results with splunk.

I noticed that I got a lot of lines containing "Nmap scan report for 57.57.223.255 [host down]" which means that the line does not contain any useful information for me. I would like to skip all lines containing "host down".

Is there a hack to achieve this?

asked 10 Feb '12, 02:36

FRoth's gravatar image

FRoth
144113
accept rate: 7%

One Answer:
oldestnewestmost voted
1

There is specific functionality for filtering incoming logs, so I wouldn't consider it a "hack" :)

Have a look at the following docs page that explains how to achieve this: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues

link

answered 10 Feb '12, 02:48

Ayn's gravatar image

Ayn
24.8k3717
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×39
×20
×9
×5
×1

Asked: 10 Feb '12, 02:36

Seen: 1,045 times

Last updated: 10 Feb '12, 02:48

Related questions

LINE_BREAKER for nmap output

How best to share summary type data with multiple lines of business (eg., log volume)

I have a chart with multiple lines and I want to "merge" them.

Ignoring a specific portion of the log file (header/footer)

Index skipping similar lines

event tagging ..Multiple format lines in same log file

how do I skip the timezone inside the timestamps

Scripted input not indexing all lines from stdout

How to ignore first three line of my log

Copyright © 2005-2012 Splunk Inc. All rights reserved.