- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Different sourcetypes at heavy forwarder and searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different sourcetypes at heavy forwarder and search head
Hi there,
I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).
I am getting events as expected.
Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophos_central_events
I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.
Could someone please help me to understand?
I want to extract fields also but not sure at what level, it would serve my purpose.
I tried to extract at HF level as per my understanding.
This might be the silly issue but I can't figure it out.
Regards,
Tejas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run splunk cmd btools props list --debug | grep sophos_central_events on your heavies, indexers, and search heads. That should find your culprit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Xavier,
Sorry I did not try your suggestion yet.
I will do and let you know the results.
Regards,
Tejas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are these the only 2 apps you've used for sophos? I see a few out there...just curious if maybe on your search head, somebody renamed the sourcetype? I guess maybe if that's the case, you could try searching or looking for the _sourcetype field?
From props.conf
rename = <string>
* Renames [<sourcetype>] as <string> at search time
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the
field _sourcetype.
* Data from a renamed sourcetype only uses the search-time
configuration for the target sourcetype. Field extractions
(REPORTS/EXTRACT) for this stanza sourcetype are ignored.
* Default: empty string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info Maciep.
Sophos add-on for splunk is the only one installed on HF.
And SH and indexer are managed by Splunk. So I don't think they would change anything over there.
Please let me know if you have any other options.
Regards,
Tejas
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
