Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

inputcsv

Description

For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv (or $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/ if dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.

If you run into an issue with the inputcsv command resulting in an error, ensure that your CSV file ends with a BLANK LINE.

Syntax

| inputcsv [dispatch=<bool>] [append=<bool>] [start=<int>] [max=<int>] [events=<bool>] <filename> [WHERE <search-query>]

Required arguments

filename
Syntax: <filename>
Description: Specify the name of the .csv file, located in $SPLUNK_HOME/var/run/splunk/csv.

Optional arguments

dispatch
Syntax: dispatch=<bool>
Description: When set to true, this argument indicates that the filename is a .csv file in the dispatch directory. The relative path is $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/.
Default: false
append
Syntax: append=<bool>
Description: Specifies whether the data from the .csv file is appended to the current set of results (true) or replaces the current set of results (false).
Default: false
events
Syntax: events=<bool>
Description: Allows the imported results to be treated as events so that a proper timeline and fields picker are displayed.
max
Syntax: max=<int>
Description: Controls the maximum number of events to be read from the file. If max is not specified, there is no limit to the number of events that can be read.
Default: 1000000000 (1 billion)
start
Syntax: start=<int>
Description: Controls the 0-based offset of the first event to be read.
Default: 0
WHERE
Syntax: WHERE <search-query>
Description: Use this clause to improve search performance by prefiltering data returned from the lookup table. Supports a limited set of search query operators: =, !=, <, >, <=, >=, AND, OR, NOT. Any combination of these operators is permitted. Also supports wildcard string searches.

Usage

The inputcsv command is an event-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Appending or replacing results

If the append argument is set to true, the Splunk software appends the data from the .csv file to the current set of results. The append argument is set to false by default, which means that it replaces the current result set with the results from the lookup search.

Working with large CSV lookup tables

The WHERE clause allows you to narrow the scope of the query that inputlookup makes against the lookup table. It restricts inputlookup to a smaller number of lookup table rows, which can improve search efficiency when you are working with significantly large CSV lookup tables.

Distributed deployments

The inputcsv command is not compatible with search head pooling and search head clustering.

The command saves the *.csv file on the local search head in the $SPLUNK_HOME/var/run/splunk/ directory. The *.csv files are not replicated on the other search heads.

Examples

1. Load results that contain a specfic string

This example loads search results from the $SPLUNK_HOME/var/run/splunk/csv/all.csv file. Those that contain the string error are saved to the $SPLUNK_HOME/var/run/splunk/csv/error.csv file.

| inputcsv all.csv | search error | outputcsv errors.csv

2. Load a specific range of results

This example loads results 101 to 600 from either the bar file, if exists, or from the bar.csv file.

| inputcsv start=100 max=500 bar

3. Specifying which results to load with operators and expressions

You can use comparison operators and Boolean expression to specify which results to load. This example loads all of the events from the CSV file $SPLUNK_HOME/var/run/splunk/csv/students.csv and then filters out the events that do not match the WHERE clause, where the values in the age field are greater than 13, less than 19, but not 16. The search returns a count of the remaining search results.

| inputcsv students.csv WHERE (age>=13 age<=19) AND NOT age=16 | stats count

4. Appending multiple CSV files

You can append the search results of one CSV file to another CSV file by using the append command and a subsearch.

| inputcsv file1.csv | append [| inputcsv file2.csv]

See also

outputcsv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputcsv command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Inputcsv:6.4.0&oldid=1003969"
PREVIOUS
input 		  NEXT
inputintelligence

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0, 7.3.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters