Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use kv_mode = auto AND kv_mode = XML for sourcetype?

tyronetv
Communicator
‎01-29-2014 09:12 AM

I have an application sourcetype that is a mix of normal informational data and also houses a subset of web requests and web responses all in XML format.

I would like to present the XML data as a searchable element, i.e, account=1234, while at the same time allowing the current key/value pairs to be searched.

As I read the docs, kv_mode is basically all or nothing. In that, it's one mode only.

How would I go about capturing both field elements from my logs using the splunk field identification process and not having to write thousands of extract statements?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-29-2014 12:41 PM

If you want to use Splunk's automatic extraction capabilities, you have to pick one or the other. But - you could split your data into two sourcetypes. For example, instead of mysourcetype, use mysourcetype-XML and mysourcetype-KV. Then your searches could look for sourcetype=mysourcetype* to get both types of data.

Generally, a sourcetype contains data that is syntactically homogeneous, as much as possible.

Another alternative is to use the xmlkv command to parse the XML fields during execution of a particular search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-29-2014 12:41 PM

If you want to use Splunk's automatic extraction capabilities, you have to pick one or the other. But - you could split your data into two sourcetypes. For example, instead of mysourcetype, use mysourcetype-XML and mysourcetype-KV. Then your searches could look for sourcetype=mysourcetype* to get both types of data.

Generally, a sourcetype contains data that is syntactically homogeneous, as much as possible.

Another alternative is to use the xmlkv command to parse the XML fields during execution of a particular search.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...