Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Examples using kvform?

Lowell
Super Champion
‎06-15-2012 10:53 AM

Does anyone know of any examples of using the kvform search command. The kvform docs seem a bit sparse to me, and I haven't been able to locate any working examples. I'd like to see examples including input files and all configs involved and their locations relative to an app folder.

The docs are unclear on a few points:

  • What location should the form files be placed? (The docs talk about $PLUNK_HOME/etc/apps/.../form, but does that mean there's a folder called "form"? is it located under local or default.). I assume '...' is the app name.
  • Can you only extract one field at a time using the kvform search command?
  • Is it possible to setup automatic extraction for a specified sourcetype via props?
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎04-16-2015 04:35 AM

I am pretty sure it is broken.

Screen shot here:
https://www.dropbox.com/s/3f4rj7468qoilln/Screenshot%202015-04-16%2007.29.02.png?dl=0

Sample app here:
http://d.pr/f/wF95

To replicate, import the sample data, ensure you are in the kvform_example app, and run this search:
source="students.txt" | kvform form=students

0 Karma
Reply

snoobzilla
Builder
‎07-30-2014 08:54 AM

I will fourth that.

0 Karma
Reply

Ricapar
Communicator
‎02-05-2013 07:05 AM

I will third that. Some documented examples would be nice.

0 Karma
Reply

rturk
Builder
‎07-03-2012 10:16 PM

I'd be interested to see this expanded out too. The documentation & examples are definitely lacking.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...