Knowledge Management

Difference between using xmlkv and KV_MODE=xml

Path Finder

I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?

0 Karma

Splunk Employee
Splunk Employee

The underlying code for both is the same so the performance won't be much different.  The difference is when do you want these fields extracted and when don't you. 

KV_MODE=xml will be always done for that sourcetype. 
xmlkv will only be done when you use it in a search string. 
So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string.
If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction

Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that. 

0 Karma


As per splunk documentation here is the difference

The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.

KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.

Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...