I am having issues configuring Splunk to Index NetApp CIFS logs in XML format.
Here is an example of 3 events:
4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurity4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b610.10.10.10S-9-9-99-9999999999-999999999-9999999999-9999falseDOMAINadminSecurityDirectory0000000000041f;00;00000040;5e1fd3f6(name);/%%4423 %%1541 10080Read Attributes; Synchronize; Open a directory; 4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurity4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b610.10.10.10S-9-9-99-9999999999-999999999-9999999999-9999falseDOMAINadminSecurityDirectory0000000000041f;00;00000040;5e1fd3f6(name);/%%4423 %%1541 10080Read Attributes; Synchronize; 4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurity4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b610.10.10.10S-9-9-99-9999999999-999999999-9999999999-9999falseDOMAINadminSecurityDirectory0000000000041f;00;00000040;5e1fd3f6(name);/%%4423 %%1541 10080Read Attributes; Synchronize; Open a directory;
I've attempted to create a props.conf with KV_MODE = xml, but haven't had any success yet.
Any assistance would be appreciated.
Thanks.