Hello Splunkers,
I have an enterprise splunk deployment with 4 indexer clisters and a Search Head cluster.
I have installed Sophos app on Search head. I am getting the logs from sophos central servers by api integration method. I would like to know where these logs are stored? How to identify which indexer its storing on.
Look at the field splunk_server. This will tell you the hostname of the indexer that the data is stored on.