kvform
Description
Extracts key-value pairs from events based on a form template that describes how to extract the values.
For Splunk Cloud Platform, you must create a private app to extract key-value pairs from events. If you are a Splunk Cloud administrator with experience creating private apps, see Manage private apps in your Splunk Cloud Platform deployment in the Splunk Cloud Admin Manual. If you have not created private apps, contact your Splunk account representative for help with this customization.
Syntax
kvform [form=<string>] [field=<field>]
Optional arguments
- form
- Syntax: form=<string>
- Description: Specify a .form file located in a
$SPLUNK_HOME/etc/apps/*/forms/
directory.
- field
- Syntax: field=<field_name>
- Description: Uses the field name to look for
.form
files that correspond to the field values for that field name. For example, your Splunk deployment uses thesplunkd
andmongod
sourcetypes. If you specifyfield=sourcetype
, thekvform
command looks for thesplunkd.form
andmongod.form
in the$SPLUNK_HOME/etc/apps/*/forms/
directory. - Default: sourcetype
Usage
Before you can use the kvform
command, you must:
- Create the
forms
directory in the appropriate application path. For example$SPLUNK_HOME/etc/apps/<app_name>/forms
. - Create the
.form
files and add the files to theforms
directory.
Format for the .form files
A .form
file is essentially a text file of all static parts of a form. It might be interspersed with named references to regular expressions of the type found in the transforms.conf file.
An example .form
file might look like this:
Students Name: [[string:student_name]] Age: [[int:age]] Zip: [[int:zip]]
Specifying a form
If the form
argument is specified, the kvform
command uses the <form_name>.form
file found in the Splunk configuration forms
directory. For example, if form=sales_order
, the kvform
command looks for a sales_order.form
file in the $SPLUNK_HOME/etc/apps/<app_name>/forms
directory for all apps. All the events processed are matched against the form, trying to extract values.
Specifying a field
If you specify the field
argument, the the kvform
command looks for forms in the forms
directory that correspond to the values for that field. For example, if you specify field=error_code
, and an event has the field value error_code=404
, the command looks for a form called 404.form
in the $SPLUNK_HOME/etc/apps/<app_name>/forms
directory.
Default value
If no form
or field
argument is specified, the kvform
command uses the default value for the field
argument, which is sourcetype
. The kvform
command looks for <sourcetype_value>.form
files to extract values.
Examples
1. Extract values using a specific form
Use a specific form to extract values from.
... | kvform form=sales_order
2. Extract values using a field name
Specify field=sourcetype
to extract values from forms such as splunkd.form
and mongod.form
. If there is a form for a source type, values are extracted from that form. If one of the source types is access_combined
but there is no access_combined.form
file, that source type is ignored.
... | kvform field=sourcetype
3. Extract values using the eventtype field
... | kvform field=eventtype
See also
kmeans | loadjob |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!