I have events that look like this:

inputs.conf:

[monitor://D:\Splunk\NVDB*.xml]

crcSalt =

disabled = false

followTail = 0

sourcetype = nvdb

props.conf:

[nvdb]

SHOULD_LINEMERGE = true

BREAK_ONLY_BEFORE = (?i)<entry\sid=

MUST_BREAK_AFTER = (?i)</entry>

MAX_EVENTS = 10000

REPORT-nvdb_vulnerable_products = nvdb_vulnerable_products

EXTRACT-cve_id = (?i)<entry\sid=\"CVE-(?P\d+-\d+)

EXTRACT-score = (?i)<cvss:score>(?P[^<]+)<

EXTRACT-access_vector = (?i)<cvss:access-vector>(?P[\w+]+)<

EXTRACT-access_complexity = (?i)<cvss:access-complexity>(?P[\w+]+)<

EXTRACT-authentication = (?i)<cvss:authentication>(?P[\w+]+)<

EXTRACT-confidentiality_impact = (?i)<cvss:confidentiality-impact>(?P[\w+]+)<

EXTRACT-integrity_impact = (?i)<cvss:integrity-impact>(?P[\w+]+)<

EXTRACT-availability_impact = (?i)<cvss:availability-impact>(?P[\w+]+)<

The data is XML formatted. The files are treated as a single event and are around 250 lines long. The searches hang at like 538 events (out of tens of thousands).

What's the best way to go about troubleshooting this? I have other XML inputs that take no time at all to search through.

Thx.

Craig