Populates the results data structure using the given csv file, which is not modified. The filename must refer to a relative path in
$SPLUNK_HOME/var/run/splunk/csv and if the specified file does not exist and the filename did not have an extension, then filename with a .csv extension is assumed. Updates to $SPLUNK_HOME/var/run/csv*.csv using the
outputcsv command are not replicated across the cluster.
Note: If you run into an issue with the
inputcsv command resulting in an error, make sure that your CSV file ends with a BLANK LINE.
inputcsv [append=<bool>] [start=<int>] [max=<int>] [events=<bool>] <filename>
- Syntax: <filename>
- Description: Specify the name of the CSV file, located in
- Syntax: append=<bool>
- Description: Specifies whether the data from the CSV file is appended to the current set of results (true) or replaces the current set of results (false).
- Default: false
- Syntax: events=<bool>
- Description: Allows the imported results to be treated as events so that a proper timeline and fields picker are displayed.
- Syntax: max=<int>
- Description: Controls the maximum number of events to be read from the file. If
maxis not specified, there is no limit to the number of events that can be read.
- Default: 1000000000 (1 billion)
- Syntax: start=<int>
- Description: Controls the 0-based offset of the first event to be read.
- Default: 0
Example 1: Read in results from the CSV file: "$SPLUNK_HOME/var/run/splunk/csv/all.csv", keep any that contain the string "error", and save the results to the file: "$SPLUNK_HOME/var/run/splunk/csv/error.csv"
| inputcsv all.csv | search error | outputcsv errors.csv
Example 2: Read in events 101 to 600 from either file 'bar' (if exists) or 'bar.csv'.
| inputcsv start=100 max=500 bar
Example 3: Read in events from the CSV file: "$SPLUNK_HOME/var/run/splunk/csv/foo.csv".
| inputcsv foo.csv
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputcsv command.
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10