Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Different sourcetypes at heavy forwarder and search head

$
0
0
Hi there, I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events). I am getting events as expected. **Sourcetype observed at HF = sophos:central:alerts and sophos:central:events Sourcetype observed at SH = sophos_central_events** I am not sure how and why these events are coming into this sourcetype at SH level. I was expecting it with 2 sourcetypes which have been observed at HF. Could someone please help me to understand? I want to extract fields also but not sure at what level, it would serve my purpose. I tried to extract at HF level as per my understanding. This might be the silly issue but I can't figure it out. Regards, Tejas

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>