Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF



For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv (or $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/ if dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.

Note: If you run into an issue with the inputcsv command resulting in an error, ensure that your .csv file ends with a BLANK LINE.


| inputcsv [dispatch=<bool>] [append=<bool>] [start=<int>] [max=<int>] [events=<bool>] <filename> [WHERE <search-query>]

Required arguments

Syntax: <filename>
Description: Specify the name of the .csv file, located in $SPLUNK_HOME/var/run/splunk/csv.

Optional arguments

Syntax: dispatch=<bool>
Description: When set to true, this argument indicates that the filename is a .csv file in the dispatch directory. The relative path is $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/.
Default: false
Syntax: append=<bool>
Description: Specifies whether the data from the .csv file is appended to the current set of results (true) or replaces the current set of results (false).
Default: false
Syntax: events=<bool>
Description: Allows the imported results to be treated as events so that a proper timeline and fields picker are displayed.
Syntax: max=<int>
Description: Controls the maximum number of events to be read from the file. If max is not specified, there is no limit to the number of events that can be read.
Default: 1000000000 (1 billion)
Syntax: start=<int>
Description: Controls the 0-based offset of the first event to be read.
Default: 0
Syntax: WHERE <search-query>
Description: Use this clause to improve search performance by prefiltering data returned from the lookup table. Supports a limited set of search query operators: =, !=, <, >, <=, >=, AND, OR, NOT. Any combination of these operators is permitted. Also supports wildcard string searches.


The inputcsv command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

If the append argument is set to true, the Splunk software appends the data from the .csv file to the current set of results. The append argument is set to false by default, which means that it replaces the current result set with the results from the lookup search.

The WHERE clause allows you to narrow the scope of the query that inputlookup makes against the lookup table. It restricts inputlookup to a smaller number of lookup table rows, which can improve search efficiency when you are working with significantly large CSV lookup tables.

Distributed deployments

The inputcsv command is not compatible with search head pooling and search head clustering.

The command saves the *.csv file on the local search head in the $SPLUNK_HOME/var/run/splunk/ directory. The *.csv files are not replicated on the other search heads.


Example 1: Read in results from the .csv file: "$SPLUNK_HOME/var/run/splunk/csv/all.csv", keep any that contain the string "error", and save the results to the file: "$SPLUNK_HOME/var/run/splunk/csv/error.csv"

| inputcsv all.csv | search error | outputcsv errors.csv

Example 2: Read in events 101 to 600 from either file 'bar' (if exists) or 'bar.csv'.

| inputcsv start=100 max=500 bar

Example 3: Read in events from the .csv file: "$SPLUNK_HOME/var/run/splunk/csv/students.csv" where the age is greater than 13, less than 19, but not 16. Provide a count of the events received.

| inputcsv students.csv WHERE (age>=13 age<=19) AND NOT age=16 | stats count

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputcsv command.


This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters