I managed to get it working by looking at the python scripts. You need to use cef_field_map rather than cef_override_map
index=_internal source="*web_access.log" | eval cef_field_map="host:dvchost,source:fname,spent:cn1,useragent:cs1,user:duser,status:cn2,clientip:dvc,method:cs2,bytes:cn3"
... View more
Ger,
Here is where you can find the (lastest) revision 20 of the "Implementing ArcSight CEF" document. Implementing ArcSight CEF.pdf
You may need to register with ArcSight to view.
Mark
... View more