Hi,
I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?
The underlying code for both is the same so the performance won't be much different. The difference is when do you want these fields extracted and when don't you.
KV_MODE=xml will be always done for that sourcetype.
xmlkv will only be done when you use it in a search string.
So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string.
If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction
Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that.
As per splunk documentation here is the difference
The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.
KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.
Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)