I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).
I am getting events as expected.
Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophoscentralevents
I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.
Could someone please help me to understand?
I want to extract fields also but not sure at what level, it would serve my purpose.
I tried to extract at HF level as per my understanding.
This might be the silly issue but I can't figure it out.
are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?
rename = <string> * Renames [<sourcetype>] as <string> at search time * With renaming, you can search for the [<sourcetype>] with sourcetype=<string> * To search for the original source type without renaming it, use the field _sourcetype. * Data from a renamed sourcetype only uses the search-time configuration for the target sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype are ignored. * Default: empty string
Thanks for the info Maciep.
Sophos add-on for splunk is the only one installed on HF.
And SH and indexer are managed by Splunk. So I don't think they would change anything over there.
Please let me know if you have any other options.
splunk cmd btools props list --debug | grep sophos_central_events on your heavies, indexers, and search heads. That should find your culprit.