There are so many such posts already available in Splunk answers.
XML data ingestion
XML Data parsing
Do not modify your .conf files yet..
Go to the server which you want the data off of. Then install a forwarder (See below). Once you have that forwarder installed you will then go to your inputs.conf (etc/system/local) and you will create a stanza.. Your stanza should look like this (This should be defined on the forwarder, not the idnexer)
The forwarder is already installed and the search server is also able to read/parse the .log files on this host.
Installation directory: C:\Program Files\SplunkUniversalForwarder
And i can see the below in the file that you mentioned:
host = XXXX
disabled = 0
So far for any changes we always modify the conf files on the main deployment server and not on each host individually.
Where do we need to add the code for .xml files?
There's a few ways of doing this.. You can either upload them manually into Splunk (See documentation below) or you can set up a forwarder to automatically upload data into Splunk as it comes in.. I'd recommend using a forwarder
When you say "search server" do you mean the indexer? You need to define your index name on the forwarder and not the indexer..
So say you have a server called 'SRV-Aux01' you want to collect log files from.. You will then go to that server and install a forwarder on it, you will then go to etc/system/local/inputs.conf and define your stanza which includes your index name.
If you wanted to define the linebreaking or anything related, you will do that on the indexer
In my scenario, the forwarder has already been installed on SRV-Aux01.
We do not modify any files on the hosts manually. Instead, we have a splunk deployment server (that talks to all the hosts).