I have installed the RTO app.
(Scenario 1). To keep things simple, i have started with a simple scenario trying to enable only two field from my Netflow index
I was not able to get Output Assistant to work, i.e, nothing would appear in the "Splunk FIelds". What I did was to change the search to
in the search field and enabled the search but NO output can be seen whether I am forwarding the data to an IP/host at port 514 or to a file (I check the log in $SPLUNK_HOME/var/log/rtouput)
(Scenario 2). Subsequently, I changed the search to
This time around, Output Assistant shows the all "Splunk Fields". This allows me to do the mapping of CEF fields to Splunk fields. I enabled the search but NO output can still be seen whether I am forwarding to an IP/host at 514 or to a file (I look at the log in $SPLUNK_HOME/var/log/rtouput)
Question 1. I do not understand the behavior of Output Assistant in scenario 1. This is important as I am dealing with many logs and I only want to send specific fields to ArcSight, and not necessarily the complete log record where there are many fields that don't have a matching CEF field.
Question 2. What did I do wrong in both scenarios because I did not see any output?
THANK YOU for your support.
For scenario 1, does removing "search" from the string produce results?