This is how I parse .gnmap files.
index="gnmap"
| eval ports=split(_raw,",")
| mvexpand ports
| Search ports!="*host*"
| rex field=_raw "Host:\s(?<dest_ip>\d+.\d+.\d+.\d+)\s+\((?<fqdn>.*)\)"
| rex field=ports "(?<port>\d+)\/+(?<status>\w+)\/+(?<proto>\w+)\/+(?<desc>\w+|\/)"
| rex field=_raw "OS:\s(?<os>\w+)"
| table dest_ip fqdn port status proto desc os
... View more