Knowledge Management

Difference between using xmlkv and KV_MODE=xml

Path Finder

I am getting inputs in the form of xml files.. To extract the fields from xml, do i need to use xmlkv in search or KV_MODE=xml in props.conf?
Which one gives better performance and what is the difference between the two?

0 Karma

Splunk Employee
Splunk Employee

The underlying code for both is the same so the performance won't be much different.  The difference is when do you want these fields extracted and when don't you. 

KV_MODE=xml will be always done for that sourcetype. 
xmlkv will only be done when you use it in a search string. 
So if you always want all of the fields to be extracted use KV_MODE but if you only want the fields to be occasionally extracted use xmlkv in your search string.
If you only want one or two fields from a big xml file, it might be better to extract them using normal regex extraction

Another use for xmlkv is when not all of your event is clean xml. KV_MODE would fail and not give you the fields. In a search, you can use an eval or rex to extract and clean the xml portion and then run xmlkv on that. 

0 Karma


As per splunk documentation here is the difference

The xmlkv command automatically extracts fields from XML-formatted data. For example, if the XML contains the following in its _raw data . xmlkv command needed to be invoked by the user to get the fields.

KV_MODE = xml is a search time field extraction that happens before the results are fetched to the user .This setting automatically bring the field extractions automatically.

Hence KV_MODE =xml is the best practice and performance wise there wont be much difference (not sure)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...