For Splunk Enterprise deployments, loads search results from the specified .csv file, which is not modified. The filename must refer to a relative path in
$SPLUNK_HOME/var/run/splunk/dispatch/<job id>/ if
dispatch = true). If the specified file does not exist and the filename does not have an extension, then the Splunk software assumes it has a filename with a .csv extension.
If you run into an issue with the
inputcsv command resulting in an error, ensure that your CSV file ends with a BLANK LINE.
| inputcsv [dispatch=<bool>] [append=<bool>] [start=<int>] [max=<int>] [events=<bool>] <filename> [WHERE <search-query>]
- Syntax: <filename>
- Description: Specify the name of the .csv file, located in
- Syntax: dispatch=<bool>
- Description: When set to true, this argument indicates that the filename is a .csv file in the dispatch directory. The relative path is
- Default: false
- Syntax: append=<bool>
- Description: Specifies whether the data from the .csv file is appended to the current set of results (true) or replaces the current set of results (false).
- Default: false
- Syntax: events=<bool>
- Description: Allows the imported results to be treated as events so that a proper timeline and fields picker are displayed.
- Syntax: max=<int>
- Description: Controls the maximum number of events to be read from the file. If
maxis not specified, there is no limit to the number of events that can be read.
- Default: 1000000000 (1 billion)
- Syntax: start=<int>
- Description: Controls the 0-based offset of the first event to be read.
- Default: 0
- Syntax: WHERE <search-query>
- Description: Use this clause to improve search performance by prefiltering data returned from the lookup table. Supports a limited set of search query operators: =, !=, <, >, <=, >=, AND, OR, NOT. Any combination of these operators is permitted. Also supports wildcard string searches.
Generating commands use a leading pipe character and should be the first command in a search.
Appending or replacing results
append argument is set to
true, the Splunk software appends the data from the .csv file to the current set of results. The
append argument is set to
false by default, which means that it replaces the current result set with the results from the lookup search.
Working with large CSV lookup tables
WHERE clause allows you to narrow the scope of the query that
inputlookup makes against the lookup table. It restricts
inputlookup to a smaller number of lookup table rows, which can improve search efficiency when you are working with significantly large CSV lookup tables.
The command saves the
*.csv file on the local search head in the
$SPLUNK_HOME/var/run/splunk/ directory. The
*.csv files are not replicated on the other search heads.
1. Load results that contain a specfic string
This example loads search results from the
$SPLUNK_HOME/var/run/splunk/csv/all.csv file. Those that contain the string
error are saved to the
| inputcsv all.csv | search error | outputcsv errors.csv
2. Load a specific range of results
This example loads results 101 to 600 from either the
bar file, if exists, or from the
| inputcsv start=100 max=500 bar
3. Specifying which results to load with operators and expressions
You can use comparison operators and Boolean expression to specify which results to load.
This example loads all of the events from the CSV file
$SPLUNK_HOME/var/run/splunk/csv/students.csv and then filters out the events that do not match the WHERE clause, where the values in the
age field are greater than 13, less than 19, but not 16. The search returns a count of the remaining search results.
| inputcsv students.csv WHERE (age>=13 age<=19) AND NOT age=16 | stats count
4. Appending multiple CSV files
You can append the search results of one CSV file to another CSV file by using the
append command and a subsearch.
| inputcsv file1.csv | append [| inputcsv file2.csv]
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputcsv command.
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6