I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?
As per splunk documentation here is the difference
The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.
KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.
Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)