Maily I have three sourcetypes
sourcetype=Officescan ( workstation logs( signature update, malware etc)
sourcetype = deepsecurity ( servers, malware logs)
sourcetype = trendmicro ( TrendMicro Control centre logs)
I can see the sourecetype=trendmicro with tag=malware. but other I can't see although they have also tag=malware.
secondly how can I made the app CIM compliant.
In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?
Answering to myself:
the naming convention for splunk apps to be appear in Splunk ES.