Hi there,
I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events).
I am getting events as expected.
Sourcetype observed at HF = sophos:central:alerts and sophos:central:events
Sourcetype observed at SH = sophos_central_events
I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF.
Could someone please help me to understand?
I want to extract fields also but not sure at what level, it would serve my purpose.
I tried to extract at HF level as per my understanding.
This might be the silly issue but I can't figure it out.
Regards,
Tejas
↧