Solved: Can I use kv_mode = auto AND kv_mode = XML for sou...

tyronetv · ‎01-29-2014

I have an application sourcetype that is a mix of normal informational data and also houses a subset of web requests and web responses all in XML format.

I would like to present the XML data as a searchable element, i.e, account=1234, while at the same time allowing the current key/value pairs to be searched.

As I read the docs, kv_mode is basically all or nothing. In that, it's one mode only.

How would I go about capturing both field elements from my logs using the splunk field identification process and not having to write thousands of extract statements?

lguinn2 · ‎01-29-2014

If you want to use Splunk's automatic extraction capabilities, you have to pick one or the other. But - you could split your data into two sourcetypes. For example, instead of mysourcetype, use mysourcetype-XML and mysourcetype-KV. Then your searches could look for sourcetype=mysourcetype* to get both types of data.

Generally, a sourcetype contains data that is syntactically homogeneous, as much as possible.

Another alternative is to use the xmlkv command to parse the XML fields during execution of a particular search.

View solution in original post

lguinn2 · ‎01-29-2014

If you want to use Splunk's automatic extraction capabilities, you have to pick one or the other. But - you could split your data into two sourcetypes. For example, instead of mysourcetype, use mysourcetype-XML and mysourcetype-KV. Then your searches could look for sourcetype=mysourcetype* to get both types of data.

Generally, a sourcetype contains data that is syntactically homogeneous, as much as possible.

Another alternative is to use the xmlkv command to parse the XML fields during execution of a particular search.

Can I use kv_mode = auto AND kv_mode = XML for sourcetype?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms