I have Splunk ES Setup and I can see the logs coming from Sophos Central onto the Search Head(where I installed the app).
I would like to know where these logs are stored in Splunk. I have tried to find logs on indexers but it wasn't.
It might be indexed locally on the search head that does the API calls. Doesn't sound like something you want especially in a SH cluster.
Typically in distributed/clustered environments these kinds of API data collection methods are ran from a Heavy Forwarder that then sends it to the indexers.
Also, that app you mention (assuming you tagged the correct app) is deprecated. Have a look at these instead.
TA Sophos Add-on for Splunk https://splunkbase.splunk.com/app/4096/
APP Sophos App for Splunk https://splunkbase.splunk.com/app/4097/
App logs as other logs are stored under $SPLUNK_HOME/var/log/splunk