So, I cannot get ANY data from the NetApp simulator (8.2 7-Mode). I am using VMware workstation as a proof of concept.....

Caveats - 1 I am NOT a Linux guru. 2. I am new to Splunk. 3. I like to follow the KISS (Keep it Simple Stupid) principal. Ultimate goal is to make an OVA for quick deployment of Splunk to multiple environments with possibly a script to set IP's and configure everything to work.

Here are the configs:

syslog.conf (on NetApp)

Set the alert level for the console

*.err /dev/console

Set the alert level for the local messages file

*.info /etc/messages

Set the alert level for the syslog server

*.info @192.168.216.150

input.conf

The below stanzas are examples only, and should be customized to suit your

environment.

[monitor:///opt/netapp_logs/192.168.216.30/etc/log]
disabled = false
followTail = 0
host_segment = 3
index = netapp
blacklist = (stats)|(/mlog/.last_rotate)|(/log/autosupport)

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_ONTAP7/bin/SNap.py -h 01]
disabled = 0
interval = 500
sourcetype = netapp:internal
index = netapp

input.conf (alternate try /netapp is in the root of the server)

The below stanzas are examples only, and should be customized to suit your

environment.

[monitor:///netapp/192.168.216.30/etc/log]
disabled = false
followTail = 0
host_segment = 3
index = netapp
blacklist = (stats)|(/mlog/.last_rotate)|(/log/autosupport)

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_ONTAP7/bin/SNap.py -h 01]
disabled = 0
interval = 500
sourcetype = netapp:internal
index = netapp

snap_hosts.csv

SNAP_HOSTS

This configuration file is used to tell SNAP.PY from which filers to collect API data.

HEADER:

filer (hostname or IP), NetApp user, password

See README for information on required permissions for API access to NetApp filers.

192.168.216.30, root, netapp123

I have an NFS share mounted to the /netapp folder on the root of the Red Hat box.

I created the user accounts per the documentation (tried it twice and got the error that the accounts already exist - so that is all correct)

I just tried again and keep getting this:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

search index=netapp

over the time range:

(earliest indexed event) – (latest indexed event)

did not return any data. Possible solutions are to:

* relax the primary search criteria
* widen the time range of the search
* check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:

* DEBUG: base lispy: [ AND index::netapp ]
* DEBUG: search context: user="admin", app="SplunkAppForNetAppONTAP", bs-pathname="/opt/splunk/etc"

SO, what am I doing wrong or missing?