Hi,

If your CSV file was added to Splunk using the csv source type (with INDEXED_EXTRACTIONS = csv) or a source type with CSV field names defined, the fields should be available at search time.

For example, given foo.csv and source type csv:

x,y
1,1.587189013
2,0.329284696
3,1.133517675
4,-0.996575706
5,-1.64539828
6,-0.50646667
7,-1.063363413
8,-1.40311895
9,0.713595252
10,0.088273196

a search for sourcetype=csv source=foo.csv will return events with fields x and y. (I'm intentionally omitting index and other fields in the example.) For simplicity, you can return known fields with the table command:

sourcetype=csv source=foo.csv
| table x y

Alternatively, you can remove fields you don't want and include all others. Removing the fields from you you identified:

sourcetype=csv source=foo.csv
| fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server"
| table *

returns a table with a x, y, and any remaining default fields.

Using the search.py example app (earliest and latest not specified):

$ python ~/splunk-app-examples/python/search.py 'search sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table *' --output_mode=json --username=xxx --password=xxx

 returns the fields and values expected (extra fields shown):

...,
"fields":[{"name":"eventtype"},{"name":"punct"},{"name":"splunk_server_group"},{"name":"tag"},{"name":"tag::eventtype"},{"name":"timestamp"},{"name":"x"},{"name":"y"},{"name":"_eventtype_color"}],
"results":[{"punct":",.","splunk_server_group":["dmc_group_indexer","dmc_group_kv_store","dmc_group_license_master","dmc_group_search_head"],"timestamp":"none","x":"10","y":"0.088273196"}, ...],
...