inputcsv
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
inputcsv
Synopsis
Loads search results from the specified csv file.
Syntax
inputcsv [append=<bool] [start=int] [max=int] [events=bool] filename
Arguments
- start
- Datatype: <int>
- Description:
The optional argument 'start' controls the 0-based offset of the first event to be read (default=0)
- max
- Datatype: <int>
- Description: The optional argument 'max' controls the maximum number of events to be read from the file (default = 1000000000)
- events
- Datatype: <bool>
- Description: The optional argument 'max' controls the maximum number of events to be read from the file (default = 1000000000). 'events' is an option that allows the imported results to be treated as events, i.e., so that a proper timeline and fields picker are displayed
Description
Populates the results data structure using the given csv file, which is not modified. The filename must refer to a relative path in $splunk_home/var/run/splunk and if the specified file does not exist and the filename did not have an extension, then filename with a .csv extension is assumed.
The optional argument 'start' controls the 0-based offset of the first event to be read (default=0). The optional argument 'max' controls the maximum number of events to be read from the file (default = 1000000000). 'events' is an option that allows the imported results to be treated as events, i.e., so that a proper timeline and fields picker are displayed. If 'append' is set to true (false by default), the data from the csv file is appended to the current set of results rathering than replacing it.
Examples
Example 1: Read in results from the CSV file: "$SPLUNK_HOME/var/run/splunk/all.csv", keep any that contain the string "error", and save the results to the file: "$SPLUNK_HOME/var/run/splunk/error.csv"
| inputcsv all.csv | search error | outputcsv errors.csvExample 2: Read in events 101 to 600 from either file 'bar' (if exists) or 'bar.csv'.
| inputcsv start=100 max=500 barExample 3: Read in events from the CSV file: "$SPLUNK_HOME/var/run/splunk/foo.csv".
| inputcsv foo.csv- Note, if you run into an issue with inputcsv resulting in an error, make sure that your csv file ends with a BLANK LINE.
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.