I need to extract some keys/values from a certain field, however it doesn't have a fixed format. Actually this field can contain multiple sub-fields and assume different lengths according to the data's meaning.
I was wondering if I can use **kvform** function, so in the *.form* file I could input all the regexes that match my data.
Am I thinking right, will splunk's kvform work like this? In positive case, what is the proper sintax of .form file? The documentation pages aren't pretty clear...
↧