Solved: KV_MODE=xml not working but xmlkv is

willcwhite · ‎04-07-2020

I have an app on a deployment server that takes in XML data, this app includes a props.conf with KV_MODE=xml.
When I see the data in Splunk, no XML fields are being extracted, but when I add | xmlkv to the end of my query, it extracts all XML fields. Since KV_MODE is for search time extractions does that mean that I have to also put this props.conf on the SHC? Or is there another reason why it's not working?

Thanks in advance.

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

KV_MODE=xml not working but xmlkv is

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)