Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

kvform

Description

Extracts key/value pairs from events based on a form template that describes how to extract the values.

Syntax

kvform [form=<string>] [field=<field>]

Optional arguments

form
Syntax: form=<string>
Description: Specify a .form file located in a $SPLUNK_HOME/etc/apps/*/forms/ directory.
field
Syntax: field=<field_name>
Description: Uses the field name to look for .form files that correspond to the field values for that field name. For example, your Splunk deployment uses the splunkd and mongod sourcetypes. If you specify field=sourcetype, the kvform command looks for the splunkd.form and mongod.form in the $SPLUNK_HOME/etc/apps/*/forms/ directory.
Default: sourcetype

Usage

Before you can use the kvform command, you must:

  • Create the forms directory in the appropriate application path. For example $SPLUNK_HOME/etc/apps/<app_name>/forms.
  • Create the .form files and add the files to the forms directory.

If you have Splunk Cloud and want to install form files, file a Support ticket.

Format for the .form files

A .form file is essentially a text file of all static parts of a form. It might be interspersed with named references to regular expressions of the type found in the transforms.conf file.

An example .form file might look like this:

Students Name: [[string:student_name]]
Age: [[int:age]] Zip: [[int:zip]]

Specifying a form

If the form argument is specified, the kvform command uses the <form_name>.form file found in the Splunk configuration forms directory. For example, if form=sales_order, the kvform command looks for a sales_order.form file in the $SPLUNK_HOME/etc/apps/<app_name>/forms directory for all apps. All the events processed are matched against the form, trying to extract values.

Specifying a field

If you specify the field argument, the the kvform command looks for forms in the forms directory that correspond to the values for that field. For example, if you specify field=error_code, and an event has the field value error_code=404, the command looks for a form called 404.form in the $SPLUNK_HOME/etc/apps/<app_name>/forms directory.

Default value

If no form or field argument is specified, the kvform command uses the default value for the field argument, which is sourcetype. The kvform command looks for <sourcetype_value>.form files to extract values.

Examples

1. Extract values using a specific form

Use a specific form to extract values from.

... | kvform form=sales_order

2. Extract values using a field name

Specify field=sourcetype to extract values from forms such as splunkd.form and mongod.form. If there is a form for a source type, values are extracted from that form. If one of the source types is access_combined but there is no access_combined.form file, that source type is ignored.

... | kvform field=sourcetype

3. Extract values using the eventtype field

... | kvform field=eventtype

See also

extract, multikv, rex, xmlkv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the kvform command.

PREVIOUS
kmeans
  NEXT
loadjob

This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.1.3


Comments

Woodcock
Thank you for your feedback on the examples. In addition to updating them, I also enhanced the descriptions for the form and field arguments and added a Usage section to this documentation.

Lstewart splunk, Splunker
September 12, 2017

Your example is wrong and is mixing the 2 arguments. It should read either:

Example 1: Extract values from "eventtype.form" if the file exists.
... | kvform form=

OR:

Example 1: Extract values from "splunkd.form", "mongod.form", etc.
index=_* | kvform field=sourcetype

Woodcock
August 30, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters