I have installed the RTO app.

(Scenario 1). To keep things simple, i have started with a simple scenario trying to enable only two field from my Netflow index

• search index=netflow | fields s_ip d_ip

I was not able to get Output Assistant to work, i.e, nothing would appear in the "Splunk FIelds". What I did was to change the search to

• search index=netflow | fields s_ip d_ip | eval cef_static_map="dst:d_ip,src:s_ip"
  

in the search field and enabled the search but NO output can be seen whether I am forwarding the data to an IP/host at port 514 or to a file (I check the log in $SPLUNK_HOME/var/log/rtouput)

(Scenario 2). Subsequently, I changed the search to

• search index=netflow

This time around, Output Assistant shows the all "Splunk Fields". This allows me to do the mapping of CEF fields to Splunk fields. I enabled the search but NO output can still be seen whether I am forwarding to an IP/host at 514 or to a file (I look at the log in $SPLUNK_HOME/var/log/rtouput)

Question 1. I do not understand the behavior of Output Assistant in scenario 1. This is important as I am dealing with many logs and I only want to send specific fields to ArcSight, and not necessarily the complete log record where there are many fields that don't have a matching CEF field.

Question 2. What did I do wrong in both scenarios because I did not see any output?

THANK YOU for your support.