(Update) Use to_json with transpose.   | eval sha256 = sha256(_raw) | transpose 0 header_field=sha256 | search column=_raw | fields - column | tojson default_type=json | fields _raw   Your sample data thus give _raw {"13a485b005f3ef9af9d1e9326223f5f86d60ff1d9677d0f5e4749f91ad650227":{"key1":"val1","key2":"val2"},"b92a2ad0ea51aa55a9b298a752a6de0997c96324b3c4e74ec8d4876af490d67a":{"key1":"val1a","key2":"val2a"}} I think this is closer to what you ask. Another method (initial attempt): Use json_set in foreach.  Assuming the "event" you described is _raw. (Works the same if they are in a different field such as "event".  Just replace _raw with "event".)   | stats values(_raw) as event | eval consolidated = json_object() | foreach event mode=multivalue [eval consolidated = json_set(consolidated, sha256(<<ITEM>>), <<ITEM>>)]   Your sample events will give event consolidated { "key1": "val1", "key2":"val2"} { "key1": "val1a", "key2":"val2a"} {"13a485b005f3ef9af9d1e9326223f5f86d60ff1d9677d0f5e4749f91ad650227":"{ \"key1\": \"val1\", \"key2\":\"val2\"}","b92a2ad0ea51aa55a9b298a752a6de0997c96324b3c4e74ec8d4876af490d67a":"{ \"key1\": \"val1a\", \"key2\":\"val2a\"}"} Drawback; This produces an embedded JSON string (as opposed to a JSON object) as value of sha256. Here is an emulation you can play with and compare with real data   | makeresults | eval data = mvappend("{ \"key1\": \"val1\", \"key2\":\"val2\"}", "{ \"key1\": \"val1a\", \"key2\":\"val2a\"}") | mvexpand data | rename data AS _raw ``` data emulation above ```    

Hi @Shalini ... Can you update us the current license's duration(expiry date)..  Upgrade Order: Step 1) from your current 7.2, you should upgrade to 8.1.x Step 2) then from 8.1.x, you should upgrade to 9.1.x https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/AboutupgradingREADTHISFIRST  

Hi @bowesmana , Thank you for clarifying that Splunk lookup does not support regex patterns. I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working Original event :- C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 &lt; \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 &gt; \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3 Splunk lookup table field value :- "C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*" Regards VK

>>> Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.   yes @isoutamo .. we thought that idea. but, as HF does some "preprocessing" (field extractions, etc) of logs, right.. so, if we use HF just like a UF(only for forwarding the logs), then indexer's job is same like as if we dont have the HF at all, right (i mean, the indexer needs to do full job of all processing of logs)   EDIT >>> the HF - LM communication is always one way, from HF to LM never other way.  you mean, HF will send request to LM asking the license info then it takes care of its job. there is no need of LM requesting/sending/asking info from/to the HF? ok, simple question... between HF and LM... please update us the ports configuration. thanks @isoutamo , karma points given appreciating your response. thanks again. 

It's not confusing, it should work if configured correctly. So having changed the <condition>, what does it do when you click google? What is the config for your <option name="drilldown">XXX</option> for that table? XXX should be row

@ITWhisperer @bowesmana  Thanks for the code, It didn't worked with my case.  Sorry if it's confusing... I have a dashboard table with below.  If i click value in "Organization" or URL, it has to go specific url  example: when i click google it has to direct to the url "  https://air222.com/recxGlfW9picLnjwj" in new tab.  or if that doesn't work at least if i click url it has to go that url in new tab Name     Organization                      URL                                                                                                              Bob            splunk                         https://air222.com/6FBPUQ3Di0FC3T                                            Matt           google                        https://air222.com/recxGlfW9picLnjwj                                     smith          facebook                  https://air222.com/recRRoUIFOMxSmjRf                                          

@alikorit -In the last month I have spent countless hours troubleshooting this with our Azure Architects, Splunk Support, Splunk CSM Engineers, Network Engineers and Azure China Engineers after we were receiving Authentication Error for the event hubs (_ssl:1106). Nothing that we did seemed to help getting this up and running , and everyone was pointing fingers back at the networking team stating this was a networking issue due to not being able to see any traffic within or to the Azure Platform. It wasn't until recently that I was able to find the python scripts below and make the modifications that we started seeing activity both ways along with events coming into our Cloud environment.   Before moving forward, make sure you have made the following changes to your firewall: Allowed NameSpace traffic. Open the ports for AMPQ traffic. (5671 & 5672) Add the Application rule to allow AAD Traffic (https://login.partner.microsoftonline.cn) As @tarungupta0311  mentioned, those two changes do have to be made. However if you are also trying to attach a storage account, then you also need to change the account class type to 3 there as well. You don't necessarily have to have an account secret set up, however, I did with it being an Access Token which is secret type 1. [Storage Account] account_name =  ****** account_secret = ****** account_secret_type = 1 account_class_type = 3   Other python scripts that I had to modify to get it working are as follows along with the change and string line:   mscs_const.py Added in line 111 (this was completely missing) CHINACLOUD_HOSTNAME = "management.chinacloudapi.cn"  mcsc_storage_service.py edited line 236  (.net will  take you no where when trying to resolve the DNS considering its in China) from: endpoint_suffix = "core.chinacloudapi.net" to :     endpoint_suffix = "core.chinacloudapi.cn " mscs_azure_event_hub.py (this was switched around, classtype 3 being Germany NOT China) edited line 681 from: 4: KnownAuthorities.Azure_CHINA to:      4:KnownAuthorities.Azure_GERMANY edited line 682 from 3: KnownAuthorities.Azure_GERMANY to:      3: KnownAuthorities.Azure_CHINA Once I made the last change and rebooted splunkd on the HF, data was flowing like a flood gate was opened.     

Hi basically you could install an additional individual server and add your current license to it (don’t remove it from your current LM). Then update that individual single server and check if your current license is valid or not. Then just order a new license for new version if needed from splunk support. Usually those old ones have worked without issues with new versions, but this is how you could ensure it. r. Ismo

Hi all splunk instances should accept nullQeue. But you must define this parameter/transformation on the first full splunk instance from UF/data source to indexers. It could be HF or indexer.   r. Ismo

Hi if you are not stored anything on local disk/indexer then it’s not counted towards your license usage. Based on your scenario, I& I understand right you are forwarding all events to the next host (indexers): then it’s not counted on your license onHF level..  r. Ismo

Hi as @gcusello said it’s better to take Splunk PS or your local splunk parter to figure out this case with all those details which you can’t share here. But basically this is doable when latency is enough low between those sites (should be) and you are using multi site clustering. Of course you can’t use SmartStore with this configuration. In business point of view this is actually the preferred installation as then you are not dependent of one cloud provider! r. Ismo

Hi if you have normal SHs without any additional components like MC then your steps should be enough. But if you have e.g. MC configured like distributed mode with those individual nodes (you shouldn’t) then you need to remove those from distributed search list. So check your distributed search list definition  and update it if needed.. r. Ismo

Hi the HF - LM communication is always one way, from HF to LM never other way.  Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything. r. Ismo

@Naa_Win In your drilldown code do <condition field="Organization"> <link target="_blank">$row.URL$</link> </condition> Note that if you want to add any characters to the URL or url string that must be encoded, use $row.URL|s$ or if you want to prevent any character encoding use $row.URL|n$ If you also want to do the same if the URL field is clicked, add a new condition with the field=URL

Please refer to my first post - these are the tokens that represent the attributes of your chart for when you click on the chart. Your stats statement will NOT show the clicked values because it's an incorrect statement. What is your HTML panel and what are you seeing when you click values and what are you expecting to see. Please show the XML for your drilldown and HTML panel.