topic Re: How to extract kv from a variable format field using kvform? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231797#M68760 <P>I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform</A></P> Tue, 29 Sep 2020 10:44:22 GMT tcmarquesi 2020-09-29T10:44:22Z How to extract kv from a variable format field using kvform? https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231795#M68758 <P>I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.<BR /> I was wondering if I can use <STRONG>kvform</STRONG> function, so in the <EM>.form</EM> file I could input all the regexes that match my data.<BR /> Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...</P> Wed, 17 Aug 2016 19:53:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231795#M68758 tcmarquesi 2016-08-17T19:53:30Z Re: How to extract kv from a variable format field using kvform? https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231796#M68759 <P>I too would like to know how to format the .form file. I am getting error: Cannot find regex reference: to the lines in the .form file I am creating.</P> Wed, 24 Aug 2016 19:15:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231796#M68759 TobiasBoone 2016-08-24T19:15:52Z Re: How to extract kv from a variable format field using kvform? https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231797#M68760 <P>I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform</A></P> Tue, 29 Sep 2020 10:44:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-kv-from-a-variable-format-field-using-kvform/m-p/231797#M68760 tcmarquesi 2020-09-29T10:44:22Z