All Apps and Add-ons

How to get NetApp logs into Splunk


Installed Splunk within environment, and wanted to forward all NetApp logs into SPLUNK Indexer. Current set up is Splunk Search head and Indexer on same box, one syslog server that is being indexed. Would like a step by step to forward logs from NetApp to Splunk.

0 Karma

New Member

Hi i had an issue with the NetApp plugin, i've already configured and installed and also add the cluster mode array with the IP address and credentials validated. Also i run the Scheduler, but when i go to the "Proactive Monitoring" and then for example to the "Cluster View" i'm getting the following message "Search query is not fully resolved.", and nothing is displayed. Could someone help me out with this since i'd like to try Splunk to monitor our Filers from NetApp.

Thanks in advance,

Best regards to all

0 Karma

Splunk Employee
Splunk Employee

There could be a couple different causes to this issue. One is that the tsidx searches did not finish populating their indexes before the page was loaded. This issue will resolve itself over time.

First, it might be helpful to check that you're getting data. By default, data goes into index=ontap. If this index is empty, then there's a problem with your configuration. Check that your data collection node is configured as a forwarder and sending data to your indexer. If you're not seeing data in index=_internal from the data collection node host, then there's a connection problem that needs resolution.

If you're still seeing the same issues, check index=_internal sourcetype=splunk_ta_ontap_api* OR sourcetype=hydra* ERROR for any errors during collection.


I am facing a similar issue where I am not able to see any data. Just wanted to confirm on the settings that I did.

I have a Splunk server which is configured as a SearchHead and Indexer. Installed the Netapp App on that.
On this server, I added a OntapServer by clicking on the "Add Ontap Collection" button. Is that fine.

I have not setup any Data Collection Node. Is it mandatory to set up one?

I don't see anything in index=_internal host=someHost.

0 Karma

Splunk Employee
Splunk Employee

For details on how to get logs, performance and configuration data from NetApp ONTAP environment, please refer to Splunk App for NetApp Data ONTAP docs:

0 Karma


What @sdaniels said, but if the only thing you are interested in are the actual system logs (and not performance or configuration data, which the app provides in addition), then you can certainly do syslog forwarding. On NetApp 7-mode, it works exactly like any unix, i.e. 'man syslogd.conf'. Here's a blog post with some instructions:

Cluster-mode is different. You would use the 'event' command while logged into a command shell. ONTAP 8.1 reference guide link [may require login to view]:

0 Karma

Splunk Employee
Splunk Employee

There is a documentation tab on the App website. If you run into issues after following those steps feel free to post a question.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...