Hi ,

Splunk is pulling data from URLs , which is having below format:

<DocumentElement>
<CMN_DEPARTMENT><id>DEP00001044</id><sys_id>0036651c6fffb000c60337c64f3ee4ac</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001045</id><sys_id>0036651c6fffb000c60337c64f3ee4ab</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001046</id><sys_id>0036651c6fffb000c60337c64f3ee4ad</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001047</id><sys_id>0036651c6fffb000c60337c64f3ee4ae</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001048</id><sys_id>0036651c6fffb000c60337c64f3ee4af</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001049</id><sys_id>0036651c6fffb000c60337c64f3ee4ag</sys_id></CMN_DEPARTMENT>
<DocumentElement>

Here DocumentElement is the root element, CMN_DEPARTMENT is child element and having "sys_id" are leaf nodes. When I extract index, I'm getting only one sys_id out of 5-6 ids under one event. Like this, we will have 24 events per day (i.e. pulling data from URL every one hour).

How to extract each sys_id into index and perform search operations on it?

Thanks in advance.