There are so many such posts already available in Splunk answers.
XML data ingestion
http://answers.splunk.com/answers/103957/help-with-getting-started-reporting-from-xml-files-in-a-dir...
XML Data parsing
http://answers.splunk.com/answers/70619/parsing-xml-log-files.html
These links has lot of information, but my question is which file needs to be modified?
props.conf or input.conf ?
Do not modify your .conf files yet..
Go to the server which you want the data off of. Then install a forwarder (See below). Once you have that forwarder installed you will then go to your inputs.conf (etc/system/local) and you will create a stanza.. Your stanza should look like this (This should be defined on the forwarder, not the idnexer)
[host::hostname]
sourcetype=log4j
index= YOUR_Index_NAME
http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/DeployaWindowsdfmanually
The forwarder is already installed and the search server is also able to read/parse the .log files on this host.
Installation directory: C:\Program Files\SplunkUniversalForwarder
And i can see the below in the file that you mentioned:
[default]
host = XXXX
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
So far for any changes we always modify the conf files on the main deployment server and not on each host individually.
Where do we need to add the code for .xml files?
There's a few ways of doing this.. You can either upload them manually into Splunk (See documentation below) or you can set up a forwarder to automatically upload data into Splunk as it comes in.. I'd recommend using a forwarder
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Uploaddata
When you say "search server" do you mean the indexer? You need to define your index name on the forwarder and not the indexer..
So say you have a server called 'SRV-Aux01' you want to collect log files from.. You will then go to that server and install a forwarder on it, you will then go to etc/system/local/inputs.conf and define your stanza which includes your index name.
If you wanted to define the linebreaking or anything related, you will do that on the indexer
how its knows the .xml logs location ? i have not provided anything in the conf files!
If this was helpful then please accept my answer
If you do not specify the index name in your inputs.conf then it will automatically be in index=main
In my scenario, the forwarder has already been installed on SRV-Aux01.
We do not modify any files on the hosts manually. Instead, we have a splunk deployment server (that talks to all the hosts).
Then it is already picking up those logs.. If you did not define the index on the forwarder then it's in index=main
which is the default index.