kvform
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
kvform
Synopsis
Extracts values from search results, using a form template.
Syntax
kvform [form=string] [field=field]
Arguments
- form
- Datatype: <string>
- Description: Specify a .form file located in
$SPLUNK_HOME/etc/apps/.../form.
- field
- Datatype: <field>
- Description: The name of the field to extract. Defaults to
sourcetype.
Description
Extracts key/value pairs from events based on a form template that describes how to extract the values. If form is specified, it uses an installed form.form file found in the Splunk configuration form directory. For example, if form=sales_order, would look for a sales_order.form file in $PLUNK_HOME/etc/apps/.../form. All the events processed would be matched against that form, trying to extract values.
If no FORM is specified, then the field value determines the name of the field to extract. For example, if field=error_code, then an event that has an error_code=404, would be matched against a 404.form file.
The default value for field is sourcetype, thus by default the kvform command will look for SOURCETYPE.form files to extract values.
A .form file is essentially a text file of all static parts of a form. It may be interspersed with named references to regular expressions of the type found in transforms.conf. An example .form file might look like this:
Students Name: [[string:student_name]] Age: [[int:age]] Zip: [[int:zip]]
Examples
Example 1: Extract values from "eventtype.form" if the file exists.
... | kvform field=eventtype