Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Different sourcetypes at heavy forwarder and s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different sourcetypes at heavy forwarder and search head
Hi there,
I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).
I am getting events as expected.
Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophos_central_events
I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.
Could someone please help me to understand?
I want to extract fields also but not sure at what level, it would serve my purpose.
I tried to extract at HF level as per my understanding.
This might be the silly issue but I can't figure it out.
Regards,
Tejas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run splunk cmd btools props list --debug | grep sophos_central_events on your heavies, indexers, and search heads. That should find your culprit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Xavier,
Sorry I did not try your suggestion yet.
I will do and let you know the results.
Regards,
Tejas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?
From props.conf
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info Maciep.
Sophos add-on for splunk is the only one installed on HF.
And SH and indexer are managed by Splunk. So I don't think they would change anything over there.
Please let me know if you have any other options.
Regards,
Tejas
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
