I managed to get it working by looking at the python scripts. You need to use cef_field_map rather than cef_override_map. I did a test using splunk's web_access.log see below
index=_internal source="*web_access.log" | eval cef_field_map="host:dvchost,source:fname,spent:cn1,useragent:cs1,user:duser,status:cn2,clientip:dvc,method:cs2,bytes:cn3"
I would upload screen shots, but the web site is not allowing me to as apparently I don't have sufficient karma 🙂
... View more