First make sure you have set up your splunk forwarder with a domain account (not the local user option). This domain account must have corresponding administrative rights, so that the forwarder kann access the filer. Assuming you already have enabled cifs audit on your netapp, put this in your inputs.conf of your forwarder: [monitor://\\filer_host\c$\etc\log\*.evt] disabled = 0 index=whateveryoulike This will do the trick. Regards, Phil ... View more

If someone's stumbling upon this, I've made a simple field extration regex which does the job by filtering out all text between ampersands (&) where "q=" is showing up. Just go to "Manager" - "Field extractions" - Click "New" and enter the line below in the field "Extraction/Transform" after choosing your app & source/sourcetype/host: (?i)&q=(?P<_google_query>\w+[^&]*)& Regards, Phil PS: Maybe someone will cure the bug of not beeing able to post "<thisisnotag!!!>" as it's regarded as html-tag 😉 ... View more