are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
* To search for the original source type without renaming it, use the
* Data from a renamed sourcetype only uses the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string