in the search field and enabled the search but NO output can be seen whether I am forwarding the data to an IP/host at port 514 or to a file (I check the log in $SPLUNK_HOME/var/log/rtouput)
(Scenario 2). Subsequently, I changed the search to
This time around, Output Assistant shows the all "Splunk Fields". This allows me to do the mapping of CEF fields to Splunk fields. I enabled the search but NO output can still be seen whether I am forwarding to an IP/host at 514 or to a file (I look at the log in $SPLUNK_HOME/var/log/rtouput)
Question 1. I do not understand the behavior of Output Assistant in scenario 1. This is important as I am dealing with many logs and I only want to send specific fields to ArcSight, and not necessarily the complete log record where there are many fields that don't have a matching CEF field.
Question 2. What did I do wrong in both scenarios because I did not see any output?