Wrong sourcetypes

Hi!

I've been struggling with getting any data to show the Sophos Central Dashboard app and from what I can see it's looking for different sourcetypes to the ones that are being ingested. I am certain I am doing something stupid, so would be grateful for any help.

Setup

I have Splunk 9.0.1 running on Ubuntu linux. I'm using v1.1.1 of the Sophos Central app from Splunkbase. I have configured the API for access and am successfully receiving data, having set up four inputs for each of the data types available.

I also have v1.0.0 of Sophos Central Dashboard installed. The only Sophos products in Central are Sophos Intercept X clients, from a number of different tenants.

If I do a really simple seach, like index=sophos I can see I get events with three different sourcetypes:

  • sophos_endpoints
  • sophos_events
  • sophos_alerts

If I go into the dashboard app, I get nothing coming up. If I inspect the query for the Top 10 Blocked Anti Virus Threats panel, I see that the query is

`sophosxgindex` sourcetype="sophos:xg:anti_virus" log_component=* (log_subtype="Virus" OR log_subtype="PUA") | stats count as Events by src_ip | rename src_ip as "Source IP" | sort -Events | head 10 | where "$show_all_panel$"=="$show_all_panel$"

Clearly this produces zero results.

If I go into Users and Devices, I get zero results for everything, even though I can see that there are results in the index showing "health.threat.status" is "bad".

I'd rather not start from scratch if I can help if but there is no data populating the dashboard anywhere.

What am I doing wrong?