Knowledge Management

Difference between using xmlkv and KV_MODE=xml

pasokkum
Path Finder

Hi,
I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

The underlying code for both is the same so the performance won't be much different.  The difference is when do you want these fields extracted and when don't you. 

KV_MODE=xml will be always done for that sourcetype. 
xmlkv will only be done when you use it in a search string. 
So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string.
If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction

Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that. 

0 Karma

ssadanala1
Contributor

As per splunk documentation here is the difference

The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.

KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.

Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...