I experienced some challenges with bringing in Netapp object auditing events (not ONTAP events), so I thought I’d share if anyone else can be spared some of the pain.

In my case, the Netapp events were written to XML files stored on a Windows file share. The forwarder was installed on a Windows VM that had access to this share. The account running the Splunk service also was set up with access to this share. Here are my working config files.

Inputs.conf
[monitor://\\servername\auditlogs]

NOTE: The file path is: 2 forward slashes, 4 backslashes, server name, backslash, share name

FS FS BS BS BS BS server name BS share name

index = netapp
sourcetype = object_auditing
disabled = 0
whitelist = .*last.xml
initCrcLength=512

props.conf
[object_auditing]
KV_MODE=xml
SHOULD_LINEMERGE=true
LINE_BREAKER= >(\s+)

Yes, actually I had planned on obsoleting the NFS file monitor entirely in favor of syslog. You will see this in an upcoming release. Not that it will be drastic, but I have not yet started on the work to change the dashboard panels on the overview page. It should be trivial if you want to have a go. Click on the "view results" link on those first two panels and you'll see what needs to be edited. For example:

index=netapp sourcetype="*messages*" OR sourcetype="*syslog*" 

This is what the NFS messages are coming in as presently. Just replace that with how to find your syslog messages and it might "just work".