All Apps and Add-ons

Why is no output generated using Splunk Real-Time Output app?

Thuan
Explorer

I have installed the RTO app.

(Scenario 1). To keep things simple, i have started with a simple scenario trying to enable only two field from my Netflow index

  • search index=netflow | fields s_ip d_ip

I was not able to get Output Assistant to work, i.e, nothing would appear in the "Splunk FIelds". What I did was to change the search to

  • search index=netflow | fields s_ip d_ip | eval cef_static_map="dst:d_ip,src:s_ip"

in the search field and enabled the search but NO output can be seen whether I am forwarding the data to an IP/host at port 514 or to a file (I check the log in $SPLUNK_HOME/var/log/rtouput)

(Scenario 2). Subsequently, I changed the search to

  • search index=netflow

This time around, Output Assistant shows the all "Splunk Fields". This allows me to do the mapping of CEF fields to Splunk fields. I enabled the search but NO output can still be seen whether I am forwarding to an IP/host at 514 or to a file (I look at the log in $SPLUNK_HOME/var/log/rtouput)

Question 1. I do not understand the behavior of Output Assistant in scenario 1. This is important as I am dealing with many logs and I only want to send specific fields to ArcSight, and not necessarily the complete log record where there are many fields that don't have a matching CEF field.

Question 2. What did I do wrong in both scenarios because I did not see any output?

THANK YOU for your support.

0 Karma

areber04
Explorer

For scenario 1, does removing "search" from the string produce results?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.