how come when i forward one xml to indexer, it is split into multiple event, how to configure such that one xml is in one event? thks
You'll need to set appropriate props.conf settings, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/propsconf
For your case, you're probably hitting maximum lines or bytes per event - consider adding these to your sourcetype's stanza:
MAX_EVENTS = a number large enough to accommodate your number of lines TRUNCATE = a number large enough to accommodate your number of bytes
Take a look at BREAK_ONLY_BEFORE in props.conf: http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/propsconf You should be able to set that to the start of your events, and Splunk will break them accordingly.
The # of events is 1528 and the byte is ~118000. What would be your recommendation?
Well, beyond guessing that it might be a size-related issue I'm going to need more information about the data.
cannot work, i made the above changes, restart the splunk and the xml is still split into multiple events
