Getting Data In

Missed data from SOPHOS

zksvc
Contributor

I am encountering an issue regarding the synchronization of update logs between Sophos and Splunk for a specific host, designated as "EXAMPLE01." According to the Sophos console, the device has received updates on the following dates:

  • 19 Nov 2024
  • 20 Nov 2024
  • 26 Nov 2024
  • 2 Dec 2024
  • 3 Dec 2024
  • 10 Dec 2024
  • 17 Dec 2024
  • 21 Jan 2025

However, when I search in Splunk within the same timeframe (1 Nov 2024 to 23 Jan 2025), the logs only show updates on:

  • 3 Dec 2024
  • 10 Dec 2024
  • 17 Dec 2024

I aim to establish a rule that triggers a notification if there has been no update for 20 days or more. Regrettably, despite the Sophos console indicating recent updates, the discrepancies in Splunk raise concerns about accurate monitoring.

I have verified the settings under Indexing > Indexes and Volumes in Splunk, and everything appears to be configured correctly. Could anyone provide insights on how to track and resolve this discrepancy?

Thank you for your assistance.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...