Hi, thanks for your reply! We've had successful three way TCP handshakes between our Forcepoint SMC and Splunk Enterprise (standalone) deployment, however no data that could be seen, as per this screenshot from the deployment guide: https://forcepoint.github.io/docs/ngfw_and_splunk/media/image9.png I'm not sure what you meant by "written to the proper index", I'm new to Splunk, however my guess would be that - yes, there is data written to the correct Index, as seen from the Splunk web UI > Settings > Data > Indexes > (name) forcepoint, (app) forcepoint-solutions, (event count) 41.9M, (home path) $SPLUNK_DB/forcepoint/db. We've also created a custom sourcetype - key-value pairs, as per the deployment guide do, mentioned above. "Does this app require any additional configuration to find the events?" - Not sure, that's why I was hoping if someone with experience with this type of setup could advise, please.
... View more