Knowledge Management

Difference between using xmlkv and KV_MODE=xml

pasokkum
Path Finder

Hi,
I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

The underlying code for both is the same so the performance won't be much different.  The difference is when do you want these fields extracted and when don't you. 

KV_MODE=xml will be always done for that sourcetype. 
xmlkv will only be done when you use it in a search string. 
So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string.
If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction

Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that. 

0 Karma

ssadanala1
Contributor

As per splunk documentation here is the difference

The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.

KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.

Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...