Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract kv from a variable format field using kvform?

tcmarquesi
Explorer
‎08-17-2016 12:53 PM

I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.
I was wondering if I can use kvform function, so in the .form file I could input all the regexes that match my data.
Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...

0 Karma
Reply

TobiasBoone
Communicator
‎08-24-2016 12:15 PM

I too would like to know how to format the .form file. I am getting error: Cannot find regex reference: to the lines in the .form file I am creating.

0 Karma
Reply

tcmarquesi
Explorer
‎08-26-2016 07:16 AM

I also got this error when I created the directory for forms as described in the documentation - "$SPLUNK_HOME/etc/apps/.../forms". Instead try "$SPLUNK_HOME/etc/apps/.../form", without que final 's'.
https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Kvform

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...