https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112515#M29566 <P>Same problem here - the permissions are set to Global for the app-permissions. My data is from Applocker Wineventlog imported using renderxml=true</P> Thu, 19 May 2016 09:32:39 GMT bravon 2016-05-19T09:32:39Z https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112512#M29563 <P>Hi,</P> <P>i'm using a distributed splunk setup (search head with several indexers) with version 6.1.3. I'm having problems with automatic field extractions from xml data.</P> <P>Linebreaking is configured and working correctly. Extracting fields using spath is also working.</P> <P>My props.conf on the indexers:</P> <PRE><CODE>[mysourcetype] KV_MODE=xml BREAK_ONLY_BEFORE=&lt;record&gt; NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true </CODE></PRE> <P>props.conf on the searchhead:</P> <PRE><CODE>[mysourcetype] KV_MODE=xml </CODE></PRE> <P>Example of the xml data:</P> <PRE><CODE>&lt;record&gt; &lt;date&gt;Fri Sep 05 08:02:32 CEST 2014&lt;/date&gt; &lt;a&gt;b&lt;/a&gt; &lt;b&gt;c&lt;/b&gt; &lt;/record&gt; &lt;record&gt; &lt;date&gt;Fri Sep 05 08:02:33 CEST 2014&lt;/date&gt; &lt;a&gt;d&lt;/a&gt; &lt;b&gt;e&lt;/b&gt; &lt;/record&gt; </CODE></PRE> <P>On a standalone test system, the automatic extraction with KV_MODE=xml is working fine.</P> <P>Any ideas why this isn't working in my distributed environment?</P> <P>Thanks!</P> Fri, 05 Sep 2014 06:27:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112512#M29563 HansWurscht 2014-09-05T06:27:37Z https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112513#M29564 <P>If Splunk looks at your data and thinks it is not entirely XML, it will not obey the <CODE>KV_MODE=xml</CODE>.<BR /> You did put the spec in the right place.</P> <P>Perhaps the subset of data that you are using for test is better XML than the real production data.</P> Mon, 08 Sep 2014 01:19:26 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112513#M29564 lguinn2 2014-09-08T01:19:26Z https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112514#M29565 <P>My guess is that the application containing the props.conf needs different permissions (App-permissions -&gt; Global)</P> Fri, 07 Aug 2015 09:27:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112514#M29565 bravon 2015-08-07T09:27:07Z https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112515#M29566 <P>Same problem here - the permissions are set to Global for the app-permissions. My data is from Applocker Wineventlog imported using renderxml=true</P> Thu, 19 May 2016 09:32:39 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112515#M29566 bravon 2016-05-19T09:32:39Z https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112516#M29567 <P>Is there an answer for this problem!? I've also have the same issue after move from my standalone system to a cluster (1y searchhead, 1x master, 3x peernodes).</P> Tue, 09 Jan 2018 15:39:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-KV-MODE-xml-not-working-in-my-distributed-environment/m-p/112516#M29567 seilemor 2018-01-09T15:39:29Z