I am trying to read a csv file using the inputcsv command. I can't seem to figure out why, but the command isn't returning any results. The file (call it names.csv) is a list of names, like so:
Users Bob Smith Joe Somebody John Doe
The file is located in var/run/splunk, as the documentation on inputcsv says it should. When I run the command
I get no search results. Clicking the "Inspect..." link provides the following details:
This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:None | inputcsv names.csv
"None" is the highlighted portion of the search, which makes me believe that it is not correctly parsing the inputcsv command as it should. I could, however, just be misinterpreting how the command should be used.
Any help you could provide would be greatly appreciated. Thanks!
Hmm, this should work ... I just tried the same on an a Splunk instance i have acces to. I tried with different user roles admin,power,user all worked. Do you have a distributed environment (Seperate servers for search head & indexers)? Then you should create the file on the search head. Oh and by var/run/splunk you mean $SPLUNK_HOME/var/run/splunk right? Oh and the splunk process does have access to the file names.csv. You're probably good an all those basic things, just trying to help you pin down the problem.
Thanks for the comment. I'm working on a distributed environment, but I do have the file on the search head. I have the file in the correct location ($SPLUNK_HOME/var/run/splunk), and splunk should have access to it (I actually restricted access to it once and got an error message saying Splunk couldn't read the contents).
I'm a little curious as to why the search highlights "None" which comes before the inputcsv command. It almost seems to suggest that it's looking for something before the csv command, but not finding it. Could you shed any light on that?
Ah, I figured it out. The line endings were in Unix format, which must have been throwing the command off. Once I switched them to Windows format, it worked.
I am stuck with similar issue. It throws error saying file could not be read. I created the file and placed it in specified directory splunk/var/run/splunk/csv/...
I use command inputcsv filename.csv...
File is not read and no results returned.
File looks like this......
@pallavibalasa - It looks like the accepted answer here does not apply to your problem. I was always able to see the file, which is not the case for you. I would suggest creating a new Splunk Answer post to address that, rather than commenting on a 3+ year old post that people might not see.