Thanks much. It started parsing the data now., the actual issue looked with no data getting indexed at all after we downloaded splunk DB app, that was not configured. I deleted it and restarted splunk. its indexing data now, but its doing it for current time stamp. Needs to extract the time stamps : props.conf [aud_xml] KV_MODE = xml MAX_TIMESTAMP_LOOKAHEAD=165 SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=<\s*\/AuditRecord\s*> NO_BINARY_CHECK=true inputs.conf [monitor:///mnt/avtest] disabled = 0 followTail = 0 host = host sourcetype = aud_xml whitelist = idprd1_ora_[\d]*_[\d].xml$ crcSalt = sample file format : 11.2 1697608112014-11-25T22:07:27.695390ZUSERuserhost17498unknown110000000000000000000Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=ip)(PORT=port))5id Thanks Navd ... View more