Getting Data In

inputcsv returning no results

bruceclarke
Contributor

All,

I am trying to read a csv file using the inputcsv command. I can't seem to figure out why, but the command isn't returning any results. The file (call it names.csv) is a list of names, like so:

Users
Bob Smith
Joe Somebody
John Doe

The file is located in var/run/splunk, as the documentation on inputcsv says it should. When I run the command

|inputcsv names.csv

I get no search results. Clicking the "Inspect..." link provides the following details:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:
None | inputcsv names.csv

"None" is the highlighted portion of the search, which makes me believe that it is not correctly parsing the inputcsv command as it should. I could, however, just be misinterpreting how the command should be used.

Any help you could provide would be greatly appreciated. Thanks!

Tags (2)
1 Solution

bruceclarke
Contributor

Ah, I figured it out. The line endings were in Unix format, which must have been throwing the command off. Once I switched them to Windows format, it worked.

View solution in original post

bruceclarke
Contributor

Ah, I figured it out. The line endings were in Unix format, which must have been throwing the command off. Once I switched them to Windows format, it worked.

chris
Motivator

Glad you found the answer to the issue, I didn't think of that.

0 Karma

pallavibalasa
Explorer

I am stuck with similar issue. It throws error saying file could not be read. I created the file and placed it in specified directory splunk/var/run/splunk/csv/...
I use command inputcsv filename.csv...
File is not read and no results returned.
Please help.

File looks like this......
InvApprover,Status
pallavi ,approved

0 Karma

bruceclarke
Contributor

@pallavibalasa - It looks like the accepted answer here does not apply to your problem. I was always able to see the file, which is not the case for you. I would suggest creating a new Splunk Answer post to address that, rather than commenting on a 3+ year old post that people might not see.

0 Karma

bruceclarke
Contributor

Thanks for the comment. I'm working on a distributed environment, but I do have the file on the search head. I have the file in the correct location ($SPLUNK_HOME/var/run/splunk), and splunk should have access to it (I actually restricted access to it once and got an error message saying Splunk couldn't read the contents).

I'm a little curious as to why the search highlights "None" which comes before the inputcsv command. It almost seems to suggest that it's looking for something before the csv command, but not finding it. Could you shed any light on that?

0 Karma

chris
Motivator

Hmm, this should work ... I just tried the same on an a Splunk instance i have acces to. I tried with different user roles admin,power,user all worked. Do you have a distributed environment (Seperate servers for search head & indexers)? Then you should create the file on the search head. Oh and by var/run/splunk you mean $SPLUNK_HOME/var/run/splunk right? Oh and the splunk process does have access to the file names.csv. You're probably good an all those basic things, just trying to help you pin down the problem.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...