@Arty there is a VSCode extension: https://splunk.github.io/vscode-extension-splunk-soar/  This allows you to connect to your instance and download, upload, edit and test apps from VSCode.    -- Hope this helps! If so please mark as a solution for others! Happy SOARing! --

Hello, To achieve this, you can iterate through your events, calculate the SHA256 hash for each event, and then construct a new JSON object. The resulting JSON will have SHA256 hashes as keys, each associated with the original event. Here's an example implementation in Python: import json import hashlib # Your list of events in JSON format events = [ { "key1": "val1", "key2": "val2" }, { "key1": "val1a", "key2": "val2a" }, # Add more events as needed ] # Function to calculate SHA256 hash for a given event def calculate_sha256(event): event_json = json.dumps(event, sort_keys=True) sha256_hash = hashlib.sha256(event_json.encode()).hexdigest() return sha256_hash # Construct the new JSON object with SHA256 hashes as keys new_json = {} for event in events: sha256_key = calculate_sha256(event) new_json[sha256_key] = event # Print the result print(json.dumps(new_json, indent=2)) This script defines a function (calculate_sha256) to calculate the SHA256 hash for a given event and then constructs the new JSON object (new_json) as per your requirements. You can check this :  https://stackoverflow.com/questions/76263284/how-to-convert-event-object-to-json/blue prism certification I hope this will help you.

The result without the transpose looks like: reputation rep_perc spam spam_perc virus virus_perc 740284221 82.46 9695175 1.08 700 0.000078 I would like to include this table in a glass table, but as it is formatted here it taking to much place.

HI @emilep, what's the resul without transpose? did you read the command description at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Transpose ? in addition, there's this useful link https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-transpose-xyseries-untable-and-more.html#:~:text=Right%20out%20of%20the%20gate,order%20to%20improve%20your%20visualizations.  Ciao. Giuseppe

Hi as @bowesmana said you have set srchIndexesDefault srchIndexesDefault = <semicolon-separated list> * A list of indexes to search when no index is specified. * These indexes can be wild-carded ("*"), with the exception that "*" does not match internal indexes. * To match internal indexes, start with an underscore ("_"). All internal indexes are represented by "_*". * The wildcard character "*" is limited to match either all the non-internal indexes or all the internal indexes, but not both at once. * No default. Personally I always suggest that this should never set anything else than empty/null value. In long run it generates more issues for your users as they don't learn to use index=xyz if there are some indexes set here. Also when this is set by role they have totally different combination of default indexes based on which roles has granted to them. If you set this as *, then it generate performance issues quite easily if/when you have tens/hundreds of indexes. r. Ismo  

Ok, I've had a similar case but are you sure your events aren't getting sent to downstream? In my case they were and indeed duplication did occur. Tl&dr - open a case with support. You have two separate things here. One is a connection close. Unfortunately I didn't have time to dig too deply into it with the customer but it looks like a support ticket material. As fat as I remember from looking at the network traffic, it was indeed the receiving side which suddenly was sending RSTs which was totally unexpected. The other thing is that you probably have useAck enabled in your environment so as the UF tries to re-send the chunk of data it had in buffer when the connection was closed, it gets signaled that the downstream HF had already seen those because apparently closing the connection doesn't prevent the HF from processing the events further.

Hi @noobSpl888, there are three possible issues: the connection between UF and HF isn't open, maybe there's a firewall between them, check using telnet if it's open; you didn't enabled receiving on the HF, go in [Settings > Forwarding and Receiving > Receiving] and enable Receiving; you didn't point the correct address, how do you configured your outpts.conf? Ciao. Giuseppe

Your default indexes to search is probably set to a specific index/indexes, so unless you specify the index you will not find results. Note that it is always a good idea to make your searches as specific as possible so that your search does not hog resources on the servers. It is always a good idea to specify an index and sourcetype in your searches and then if you need to search wider, then increase the scope.  

Gonna maybe revive this thread. We are using RHEL 8.6 and we have Splunk Enterprise running and configured to listen on port 9997, we added it to the firewall with firewall-cmd and still netstat -l | grep 9997 returns nothing. We have tried different variations of netstat they all return zero. Also systemctl status splunk.service doesn't show the service using port 9997. Any suggestion do we need to add 9997 to the service somehow? If so how. Have set Splunk up on other RHEL 8 servers before no problem but something about this one seems different. Also the inputs.conf shows [splunktcp:\\9997] disabled=0. Any help is appreciated.