Hey Ted,
So what we did is enable auditing on the CIFS vserver, which writes audit data out to files (we used XML format instead of EVTX). Then we made a CIFS share on the audit volume.
Then we used a VM that could access the audit CIFS share, and locked down permissions to that machine and the user splunk runs as only.
After that it was a matter of installing the Splunk Universal Forwarder on the VM and configuring it to watch the directory the Netapp vservers write the audit logs in. We did have to work with our Splunk team to help parse the XML. But hope that helps get you started.
