Getting Data In
Highlighted

Different sourcetypes at heavy forwarder and search head

Path Finder

Hi there,
I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).

I am getting events as expected.

Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophoscentralevents

I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.

Could someone please help me to understand?

I want to extract fields also but not sure at what level, it would serve my purpose.

I tried to extract at HF level as per my understanding.

This might be the silly issue but I can't figure it out.

Regards,
Tejas

0 Karma
Highlighted

Re: Different sourcetypes at heavy forwarder and search head

Champion

are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?

From props.conf

rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
  sourcetype=<string>
* To search for the original source type without renaming it, use the
  field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
  configuration for the target sourcetype. Field extractions
  (REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string
0 Karma
Highlighted

Re: Different sourcetypes at heavy forwarder and search head

Path Finder

Thanks for the info Maciep.

Sophos add-on for splunk is the only one installed on HF.

And SH and indexer are managed by Splunk. So I don't think they would change anything over there.

Please let me know if you have any other options.

Regards,
Tejas

0 Karma
Highlighted

Re: Different sourcetypes at heavy forwarder and search head

Contributor

Run splunk cmd btools props list --debug | grep sophos_central_events on your heavies, indexers, and search heads. That should find your culprit.

0 Karma
Highlighted

Re: Different sourcetypes at heavy forwarder and search head

Path Finder

Hey Xavier,
Sorry I did not try your suggestion yet.

I will do and let you know the results.

Regards,
Tejas

0 Karma