How to merge XML rows in one event by .conf?

Hi to all, I've got a log file in which there are many XML messages printed. One single log message is split into many rows (as you can see from the example below), but I have to merge those rows into a single Splunk event. I'm on Splunk Enterprise Cluster Environment 6.6.2, and these logs are provided by many Universal Forwarders which sends them to two Heavy Forwarders 6.6.1 (HF) who send the logs to indexer cluster (IDX). I've tried many props.conf configurations, on HF (BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER, DATETIME_CONFIG, etc...), also on IDX, but Splunk continues to split the event on tag "" given that it finds a timestamp. == props.conf (on HF and IDX) == [my_sourcetype] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{4} TIME_FORMAT = %Y-%m-%d %H:%M:%S.%4N MAX_TIMESTAMP_LOOKAHEAD = 26 MUST_NOT_BREAK_AFTER = \s*(http://tempuri.org/Service/tag_afalsetrue999999999ffffffffff99ffffffffffffffff999999999fffffff9,99ffffftrueffffffffffffffffffffffffff22/03/2018fffff999992018-02-20T20:31:20.097ffXMLfalse } Have you got any ideas how to fix this behavior? Also, do I have to configure only HF props.conf or only IDX props.conf or both?