Hi there,
I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).
I am getting events as expected.
Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophos_central_events
I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.
Could someone please help me to understand?
I want to extract fields also but not sure at what level, it would serve my purpose.
I tried to extract at HF level as per my understanding.
This might be the silly issue but I can't figure it out.
Regards,
Tejas
Run splunk cmd btools props list --debug | grep sophos_central_events
on your heavies, indexers, and search heads. That should find your culprit.
Hey Xavier,
Sorry I did not try your suggestion yet.
I will do and let you know the results.
Regards,
Tejas
are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?
From props.conf
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string
Thanks for the info Maciep.
Sophos add-on for splunk is the only one installed on HF.
And SH and indexer are managed by Splunk. So I don't think they would change anything over there.
Please let me know if you have any other options.
Regards,
Tejas