We're polling an audit file from our SQL server, that includes a field called additional information. This field has a field inside it:

<address>field</address>

that I need to be indexed. I may have done something wrong in setting up the input, because I kind of expected this to be an indexed field from the beginning.

This is the input:

[mi_input://mssql:audit] connection = SQLServer index = main interval = 60 max_rows = 10000 mode = tail output_timestamp_format = YYYY-MM-dd HH:mm:ss query = SELECT * FROM sys.fn_get_audit_file ('M:\\\\AuditFiles\\\\*',default,default) source = dbx2 sourcetype = mssql:audit tail_follow_only = 1 tail_rising_column_name = event_time tail_rising_column_number = 1 ui_query_mode = advanced disabled = 0 tail_rising_column_checkpoint_value = 1449605957973`

and this is the result: