We have several NetApps that require log retention. Getting log events to Splunk appears to be an odd configuration. Odd being defined as we haven't done it before.

• The NetApp admin cannot install additional software
• The BSD-style syslog events generated by the NetApp do not have the information we wish to retain.
• The files required end in the .evt extension. I don't have the expertise to state they are MS Windows event logs, but they sure look like it.
  • The Solaris Splunk box says these are data files.
    
  • adtlog.20110809154604.evt: data
• The files are NFS mounted on our Solaris Splunk system.
• We do not understand how to use trans.py from the Windows app. Splunk for Windows

More environment information.

• Splunk is 4.1.5.
• Splunk currently running on a Solaris 10 zone.
• The NetApp .evt files are mounted using the NFS automounter, configured in /etc/auto/auto_netapp.
  • The file system is mounted as needed.
    
  • /opt/ext/netapp01 -ro netapp01:/vol/vol0/etc/log
• Three different teams, at two different location are involved. Me (your friendly, neighborhood Splunk application admin), the UNIX admin team, the NetApp team. We have not engaged the Windows team at this point.
  

It may just be we don't know how to use the Windows app correctly. Seems like we have another option as well, mounting the files on a Windows system and having a Universal Forwarder connect to port 9997 on the Splunk system. We have done this successfully on other MS Windows systems.

We want to retain host information. (If these were normal syslog/text files, we could use the directory for the hostname.)

So, what exactly do we need to do to get these files in our Splunk index? We're especially unfamiliar with the Windows App and trans.py.