Splunk® Enterprise

Search Reference

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

inputcsv

Description

For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv. If dispatch=true, the path must be in $SPLUNK_HOME/var/run/splunk/dispatch/<job id>.

If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.

If you run into an issue with the inputcsv command resulting in an error, ensure that your CSV file ends with a BLANK LINE.

Syntax

The required syntax is in bold.

| inputcsv
[dispatch=<bool>]
[append=<bool>]
[start=<int>]
[max=<int>]
[events=<bool>]
<filename>
[WHERE <search-query>]

Required arguments

filename
Syntax: <filename>
Description: Specify the name of the .csv file, located in $SPLUNK_HOME/var/run/splunk/csv.

Optional arguments

dispatch
Syntax: dispatch=<bool>
Description: When set to true, this argument indicates that the filename is a .csv file in the dispatch directory. The relative path is $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/.
Default: false
append
Syntax: append=<bool>
Description: Specifies whether the data from the .csv file is appended to the current set of results (true) or replaces the current set of results (false).
Default: false
events
Syntax: events=<bool>
Description: Specifies whether the data in the CSV file are treated as events or as a table of search results. By default events=false returns the data in a table with field names as column headings. The table appears on the Statistics tab. If you set events=true, the imported CSV data must have the _time and _raw fields. The data is treated as events, which appear on the Events tab.
Default: false
max
Syntax: max=<int>
Description: Controls the maximum number of events to be read from the file. If max is not specified, there is no limit to the number of events that can be read.
Default: 1000000000 (1 billion)
start
Syntax: start=<int>
Description: Controls the 0-based offset of the first event to be read.
Default: 0
WHERE
Syntax: WHERE <search-criteria>
Description: Use this clause to improve search performance by prefiltering data returned from the CSV file. Supports a limited set of search query operators: =, !=, <, >, <=, >=, AND, OR, NOT. Any combination of these operators is permitted. Also supports wildcard string searches.

Usage

The inputcsv command is an event-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Appending or replacing results

If the append argument is set to true, you can use the inputcsv command to append the data from the CSV file to the current set of search results. With append=true, you use the inputcsv command later in your search, after the search has returned a set of results. See Examples.

The append argument is set to false by default. If the append argument is not specified or is set to false, the inputcsv command must be the first command in the search. Data is loaded from the specified CSV file into the search.

Working with large CSV files

The WHERE clause allows you to narrow the scope of the search of the inputcsv file. It restricts the inputcsv to a smaller number of rows, which can improve search efficiency when you are working with significantly large CSV files.

Distributed deployments

The inputcsv command is not compatible with search head pooling and search head clustering.

The command saves the *.csv file on the local search head in the $SPLUNK_HOME/var/run/splunk/ directory. The *.csv files are not replicated on the other search heads.

Examples

1. Load results that contain a specfic string

This example loads search results from the $SPLUNK_HOME/var/run/splunk/csv/all.csv file. Those that contain the string error are saved to the $SPLUNK_HOME/var/run/splunk/csv/error.csv file.

| inputcsv all.csv | search error | outputcsv errors.csv

2. Load a specific range of results

This example loads results 101 to 600 from either the bar file, if exists, or from the bar.csv file.

| inputcsv start=100 max=500 bar

3. Specifying which results to load with operators and expressions

You can use comparison operators and Boolean expression to specify which results to load. This example loads all of the events from the CSV file $SPLUNK_HOME/var/run/splunk/csv/students.csv and then filters out the events that do not match the WHERE clause, where the values in the age field are greater than 13, less than 19, but not 16. The search returns a count of the remaining search results.

| inputcsv students.csv WHERE (age>=13 age<=19) AND NOT age=16 | stats count

4. Append data from a CSV file to search results

You can use the append argument to append data from a CSV file to a set of search results. In this example the combined data is then output back to the same CSV file.

error earliest=-d@d | inputcsv append=true all_errors.csv | outputcsv all_errors.csv

5. Appending multiple CSV files

You can also append the search results of one CSV file to another CSV file by using the append command and a subsearch. This example uses the eval command to add a field to each set of data to denote which CSV file the data originated from.

| inputcsv file1.csv | eval source="file1" | append [inputcsv file2.csv | eval source="file2"]

See also

outputcsv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputcsv command.

Last modified on 10 July, 2020
input   inputintelligence

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters