well it seems in log extract you paste earlier your ssg is sending in UDP or splunk is listening in udp:
_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then to be sure you get the data i would create in splunk 2 data inputs: one tcp one udp...on the port number you specified in your ssg

i'm sending via tcp port not udp

could you please comment on previous answer rather than creating new answer everytime...

are you sure you sending via UDP and haven't tick TCP?

I would create a Manager >> Data inputs >> TCP >> New on the same port as udp(5410) to be sure.

it's an ssg 20

Does not the Metrics data indicate that you have set your splunk to listen to UDP (and you yourself say that your firewall is sending TCP)?

Make sure that you are listening for the type of traffic you are sending.

/k

which juniper firewall products you have? is it juniper SRX?

if it is then to get SRX logs see Juniper KB16634 and KB16224.

that how i configure my firewall, can you take a look on this please
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759

your juniper isnot sending anything :

_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then you have to check your juniper

that's what i got when i put the first expression
6 events like this one

1 » 4/3/12
11:40:58.727 AM  04-03-2012 11:40:58.727 +0200 INFO  Metrics - group=udpin_connections, 192.168.0.111:5410, sourcePort=5410, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00host=lab2008   Options|  sourcetype=splunkd   Options|  source=C:\Program Files\Splunk\var\log\splunk\metrics.log   Options

and when i put the second expression , it doesn't give me anything

what i should do ??