Re: How to extract kv from a variable format field...

tcmarquesi · ‎08-17-2016

I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.
I was wondering if I can use kvform function, so in the .form file I could input all the regexes that match my data.
Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...

TobiasBoone · ‎08-24-2016

I too would like to know how to format the .form file. I am getting error: Cannot find regex reference: to the lines in the .form file I am creating.

tcmarquesi · ‎08-26-2016

I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform

How to extract kv from a variable format field using kvform?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How to extract kv from a variable format field using kvform?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar