Hi, If your CSV file was added to Splunk using the csv source type (with INDEXED_EXTRACTIONS = csv) or a source type with CSV field names defined, the fields should be available at search time. For example, given foo.csv and source type csv: x,y 1,1.587189013 2,0.329284696 3,1.133517675 4,-0.996575706 5,-1.64539828 6,-0.50646667 7,-1.063363413 8,-1.40311895 9,0.713595252 10,0.088273196 a search for sourcetype=csv source=foo.csv will return events with fields x and y. (I'm intentionally omitting index and other fields in the example.) For simplicity, you can return known fields with the table command: sourcetype=csv source=foo.csv | table x y Alternatively, you can remove fields you don't want and include all others. Removing the fields from you you identified: sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table * returns a table with a x, y, and any remaining default fields. Using the search.py example app (earliest and latest not specified): $ python ~/splunk-app-examples/python/search.py 'search sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table *' --output_mode=json --username=xxx --password=xxx returns the fields and values expected (extra fields shown): ...,
"fields":[{"name":"eventtype"},{"name":"punct"},{"name":"splunk_server_group"},{"name":"tag"},{"name":"tag::eventtype"},{"name":"timestamp"},{"name":"x"},{"name":"y"},{"name":"_eventtype_color"}],
"results":[{"punct":",.","splunk_server_group":["dmc_group_indexer","dmc_group_kv_store","dmc_group_license_master","dmc_group_search_head"],"timestamp":"none","x":"10","y":"0.088273196"}, ...],
...
... View more