XML Processing Help

Can you share a sanitized or stripped down example XML you’re having
trouble parsing? Does each event start with <?xml> tag, or a file
with multiple events?

@eugene its similar to McAfee HBSS data such as:

<?xml version="1.0" encoding="UTF-8"?><SCORData>  <MachineInfo>  <MachineName>HOSTNAME</MachineName>  <AgentGUID>GUID HERE</AgentGUID>  <IPAddress>127.0.0.1</IPAddress>  <OSName>Windows 8 Workstation</OSName>  <UserName>SYSTEM</UserName>  <TimeZoneBias>-60</TimeZoneBias>  <RawMACAddress>123456789012</RawMACAddress>  </MachineInfo>  <SCORSoftware ProductName="Solidifier" ProductVersion="8.2.0.140" ProductFamily="Secure">  <SCOREvent>  <EventID>12321</EventID>  <Severity>1</Severity>  <GMTTime>2000-11-21T11:31:57</GMTTime>  <SCORevent_name>COMMAND_EXECUTED</SCORevent_name>  <SCORevt_id>8</SCORevt_id>  <SCORevt_type>EVT_CAT_TYPE_INFO</SCORevt_type>  <SCORevt_sink>7</SCORevt_sink>  <SCORseq_no>1</SCORseq_no>  <SCORtime_stamp>1637494316200</SCORtime_stamp>  <SCORserver_state>0</SCORserver_state>  <SCORend_time>Sun Nov 21 2000 12:31:56</SCORend_time>  <SCORuser_name>...</SCORuser_name>  <SCORcmd_line>...</SCORcmd_line>  <SCORstatus>0</SCORstatus>  </SCOREvent>  </SCORSoftware></SCORData>

@eugene It looks like that works. Thanks. That helps. Would be nice to have that included in the official documentation

Glad it helped! Please mark the answer as the Solution when you have a chance.

Would be nice to have that included in the official documentation

I’ll talk to the docs team about making an update. What was the new
insight you gained from my answer? How was it different from what you
were trying to do?

@eugene the documentation Reducing Windows XML Events | Cribl Docs shows that it can be run like: C.Text.parseXml(_raw, false) so with 2 variables not 1 in the parenthesis. C.Text.parseXml(_raw, false) , which is different than what worked of C.Text.parseXml(_raw)

Strange. With the sample you shared, C.Text.parseXml(_raw,false) works (as does true) just as well for me. I wonder if something else.