Extracts key-value pairs from events based on a form template that describes how to extract the values.
For Splunk Cloud Platform, you must create a private app to extract key-value pairs from events. If you are a Splunk Cloud administrator with experience creating private apps, see Manage private apps in your Splunk Cloud Platform deployment in the Splunk Cloud Admin Manual. If you have not created private apps, contact your Splunk account representative for help with this customization.
kvform [form=<string>] [field=<field>]
- Syntax: form=<string>
- Description: Specify a .form file located in a
- Syntax: field=<field_name>
- Description: Uses the field name to look for
.formfiles that correspond to the field values for that field name. For example, your Splunk deployment uses the
mongodsourcetypes. If you specify
kvformcommand looks for the
- Default: sourcetype
Before you can use the
kvform command, you must:
- Create the
formsdirectory in the appropriate application path. For example
- Create the
.formfiles and add the files to the
Format for the .form files
.form file is essentially a text file of all static parts of a form. It might be interspersed with named references to regular expressions of the type found in the transforms.conf file.
.form file might look like this:
Students Name: [[string:student_name]] Age: [[int:age]] Zip: [[int:zip]]
Specifying a form
form argument is specified, the
kvform command uses the
<form_name>.form file found in the Splunk configuration
forms directory. For example, if
kvform command looks for a
sales_order.form file in the
$SPLUNK_HOME/etc/apps/<app_name>/forms directory for all apps. All the events processed are matched against the form, trying to extract values.
Specifying a field
If you specify the
field argument, the the
kvform command looks for forms in the
forms directory that correspond to the values for that field. For example, if you specify
field=error_code, and an event has the field value
error_code=404, the command looks for a form called
404.form in the
field argument is specified, the
kvform command uses the default value for the
field argument, which is
kvform command looks for
<sourcetype_value>.form files to extract values.
1. Extract values using a specific form
Use a specific form to extract values from.
... | kvform form=sales_order
2. Extract values using a field name
field=sourcetype to extract values from forms such as
mongod.form. If there is a form for a source type, values are extracted from that form. If one of the source types is
access_combined but there is no
access_combined.form file, that source type is ignored.
... | kvform field=sourcetype
3. Extract values using the eventtype field
... | kvform field=eventtype
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2106, 8.2.2107, 8.2.2105, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202, 8.2.2203