Hello comrades, After my poor research, I found that only heavy forwarder supports props.conf, but it was like 5 or 6 years old posts. I wonder that UF could now support props.conf? Also how do I upgrade to HF? Many thanks,  

I'm trying to extract all the CVEs and associated their CVSS scores from Shodan's API (JSON response). The response is typically in the format where the number after data depends on the number of services detected, example data: data :[ 0 22/tcp/OpenSSH :{ … }, 1 80/tcp/Apache httpd :{ vulns :{ "CVE-2013-6501" :{ cvss :4.6, references :[ … ], summary :"The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.", Current search: | curl method=get uri=https://api.shodan.io/shodan/host/"IP"?key=APIKEY | spath input=curl_message path="data{0}.vulns" output=test_array | mvexpand test_array | spath input=test_array | table CVE*.cvss When using curl from WebTools, spath doesn't appear to be extracting all the fields (e.g. only 4 of the 15 CVEs are displayed in the table), likely because of the 5000 character limit for spath. Is there another method that would be able to keep data like the CVE, cvss and summary linked while splitting the data? Delim via comma seems like it wouldn't be possible since the summaries also include commas.

Hi Splunk Team,  The Documentation says UF default installation port is 8989 (https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Installanixuniversalforwarder ) (from 9.1.0... before 9.1.0, that default port information is not updated in that page at all)   May i know if its a typo and it should have been 8089.. please suggest, thanks.