I am encountering an issue regarding the synchronization of update logs between Sophos and Splunk for a specific host, designated as "EXAMPLE01." According to the Sophos console, the device has received updates on the following dates:

• 19 Nov 2024
• 20 Nov 2024
• 26 Nov 2024
• 2 Dec 2024
• 3 Dec 2024
• 10 Dec 2024
• 17 Dec 2024
• 21 Jan 2025

However, when I search in Splunk within the same timeframe (1 Nov 2024 to 23 Jan 2025), the logs only show updates on:

• 3 Dec 2024
• 10 Dec 2024
• 17 Dec 2024

I aim to establish a rule that triggers a notification if there has been no update for 20 days or more. Regrettably, despite the Sophos console indicating recent updates, the discrepancies in Splunk raise concerns about accurate monitoring.

I have verified the settings under Indexing > Indexes and Volumes in Splunk, and everything appears to be configured correctly. Could anyone provide insights on how to track and resolve this discrepancy?

Thank you for your assistance.