From Splunk Wiki
Tips for working with XML log files
By default, the settings in
apps/config/default/props.conf cause each XML file to be processed as one single event (there are no linebreaking rules). This is fine for plain XML content, but is not ideal for handling XML log files. To handle these, create a new source type definition in
/apps/config/local/props.conf and including linebreaking rules that are appropriate for your XML log data.
Important: Splunk recommends that you make this change in
/apps/config/local/props.conf and not in
apps/config/default/props.conf. Otherwise, your changes will be overwritten when you upgrade Splunk.
If you have some linebreaking rules that work for a product that logs in XML, feel free to post them here with some descriptive info.
This example shows an
mercado_xml stanza defined for the xml log file format that Mercado generates.
[mercado_xml] TIME_PREFIX = ^.*TM\=\" TIME_FORMAT = %m-%dT%T SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^\<Log\s+\w+= MUST_BREAK_AFTER = Log>