Splunk Search

How to extract kv from a variable format field using kvform?

Explorer

I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.
I was wondering if I can use kvform function, so in the .form file I could input all the regexes that match my data.
Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...

0 Karma

Communicator

I too would like to know how to format the .form file. I am getting error: Cannot find regex reference: to the lines in the .form file I am creating.

0 Karma

Explorer

I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform

0 Karma