Solved: Re: KV_MODE=xml not working but xmlkv is

willcwhite · ‎04-07-2020

I have an app on a deployment server that takes in XML data, this app includes a props.conf with KV_MODE=xml.
When I see the data in Splunk, no XML fields are being extracted, but when I add | xmlkv to the end of my query, it extracts all XML fields. Since KV_MODE is for search time extractions does that mean that I have to also put this props.conf on the SHC? Or is there another reason why it's not working?

Thanks in advance.

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

KV_MODE=xml not working but xmlkv is

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...