Extracts values from search results, using a form template.
kvform [form=<string>] [field=<field>]
- Syntax: form=<string>
- Description: Specify a .form file located in
- Syntax: <field>
- Description: The name of the field to extract. Defaults to
Extracts key/value pairs from events based on a form template that describes how to extract the values. If
form is specified, it uses an installed form.form file found in the Splunk configuration form directory. For example, if
form=sales_order, would look for a
sales_order.form file in
$PLUNK_HOME/etc/apps/.../form. All the events processed would be matched against that form, trying to extract values.
If no FORM is specified, then the
field value determines the name of the field to extract. For example, if
field=error_code, then an event that has an error_code=404, would be matched against a
The default value for
sourcetype, thus by default the
kvform command will look for SOURCETYPE.form files to extract values.
.form file is essentially a text file of all static parts of a form. It may be interspersed with named references to regular expressions of the type found in transforms.conf. An example
.form file might look like this:
Students Name: [[string:student_name]] Age: [[int:age]] Zip: [[int:zip]]
Example 1: Extract values from "eventtype.form" if the file exists.
... | kvform field=eventtype
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the kvform command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2