All,
Step 3, mounting the NFS share for Splunk to digest isn't going to work for us. Can't we get the same data via syslog?
".
Create an NFS mount to the system partition of your filer(s). Copy local/inputs.conf.sample to inputs.conf and edit this file. Specify path to the system log path. For example:
[monitor:///opt/netapp_logs/10.160.114.230/etc/log]"
Hi, where did you find the solution , documentation about mounting the NFS under Splunk ?
thanks
 
					
				
		
I experienced some challenges with bringing in Netapp object auditing events (not ONTAP events), so I thought I’d share if anyone else can be spared some of the pain.
In my case, the Netapp events were written to XML files stored on a Windows file share. The forwarder was installed on a Windows VM that had access to this share. The account running the Splunk service also was set up with access to this share. Here are my working config files.
Inputs.conf
[monitor://\\servername\auditlogs]
index = netapp
sourcetype = object_auditing
disabled = 0
whitelist = .*last.xml
initCrcLength=512
props.conf
[object_auditing]
KV_MODE=xml
SHOULD_LINEMERGE=true
LINE_BREAKER= >(\s+)
 
					
				
		
Yes, actually I had planned on obsoleting the NFS file monitor entirely in favor of syslog. You will see this in an upcoming release. Not that it will be drastic, but I have not yet started on the work to change the dashboard panels on the overview page. It should be trivial if you want to have a go. Click on the "view results" link on those first two panels and you'll see what needs to be edited. For example:
index=netapp sourcetype="*messages*" OR sourcetype="*syslog*" 
This is what the NFS messages are coming in as presently. Just replace that with how to find your syslog messages and it might "just work".
