Skip to main content
Sumo Logic

Parse CSV Formatted Logs

The CSV operator allows you to parse CSV (Comma Separated Values) formatted log entries. It uses a comma as the default delimiter.

For example, let’s say you have a .csv file that maps internal IP addresses to your data center locations and names. Once the .csv file is ingested into Sumo Logic, you can use the CSV operator to parse the fields of the file and populate a lookup table. Then you could use the Geo Lookup operator to map your data center IP addresses and display them on a map of the world.

To parse delimited log entries other than CSV files, such as space delimited files, use the Split operator.

Syntax:

Extract fields using index:

  • csv fieldName extract 1 as A, 2 as B, 5 as E, 6 as F

Extract fields using position:

  • csv fieldName extract A, B, _, _, E, F

Extract from an existing field:

  • parse “start*end” as fieldName | csv fieldName extract 1 as A, 2 as B, 5 as E, 6 as F

Specify an escape, and quote character:

  • csv fieldName escape='\', quote=''' extract A, B, _, _, E, F

Rules:

  • By default, the CSV operator uses a comma (,) for a delimiter, backlash (\) for an escape character, and (“) quote for a quote character.
  • A field name is always required.

Examples:

Parse comma delimited fields.

Use the following query to parse a CSV file’s comma delimited fields as shown:

_sourceCategory=csv
| csv _raw extract 1 as user2, 2 as id, 3 as name

which provides results like:

 

Parse a stream query and extract search terms.

"Starting stream query"
| parse "query=[*], queryId" as query
| csv query extract searchTerms, op1, op2, op3

This produces results like:

For more information on parsing CSV files, see Lookup operator and Save operator.