- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract kv from a variable format field using kvform?
data:image/s3,"s3://crabby-images/8b462/8b4627995c0974d1a0cf60017d3f58b43c7a8849" alt="tcmarquesi tcmarquesi"
I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.
I was wondering if I can use kvform function, so in the .form file I could input all the regexes that match my data.
Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I too would like to know how to format the .form file. I am getting error: Cannot find regex reference: to the lines in the .form file I am creating.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/8b462/8b4627995c0974d1a0cf60017d3f58b43c7a8849" alt="tcmarquesi tcmarquesi"
I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""