I experienced some challenges with bringing in Netapp object auditing events (not ONTAP events), so I thought I’d share if anyone else can be spared some of the pain.
In my case, the Netapp events were written to XML files stored on a Windows file share. The forwarder was installed on a Windows VM that had access to this share. The account running the Splunk service also was set up with access to this share. Here are my working config files.
Inputs.conf
[monitor://\\servername\auditlogs]
NOTE: The file path is: 2 forward slashes, 4 backslashes, server name, backslash, share name
FS FS BS BS BS BS server name BS share name
index = netapp
sourcetype = object_auditing
disabled = 0
whitelist = .*last.xml
initCrcLength=512
props.conf
[object_auditing]
KV_MODE=xml
SHOULD_LINEMERGE=true
LINE_BREAKER= >(\s+)
... View more