Parse a CSV-encoded field into known columns. It can parse values of the form:

  • value 1, value 2, value 3

  • "value 1", "value 2", value 3 (Quoted values. Quotes are optional.)

  • "value 1"; "value 2"; value 3 (Using ; as delimiter. Delimiter is configurable.)

ParameterTypeRequiredDefault ValueDescription
columnsstring or arrayrequired   Names of columns to extract from field.
delimiterstringoptional[a] , Delimiter character to split records by.
excludeEmptybooleanoptional[a] false If the value of a column is empty, exclude the field.
field[b]stringrequired @rawstring Field that holds the input in CSV form.
trimbooleanoptional[a] false Allows to ignore whitespace before and after values. If the value is quoted, the quotes can start after the spaces. Useful for parsing data created by sources that do not adhere to the CSV standard.

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name field can be omitted.

For a log line like this:

2017-02-22T13:14:01.917+0000 [main thread] INFO statsModule got result="117,success,27%,3.14"

Using parseCsv(result, columns=[count, status, completion, precision, sourcetask]) will add these fields:


sourcetask will not get assigned a value, as there were too few columns in the input for that.

Use the (unnamed) field parameter to specify which field should be CSV parsed. Specify @rawstring to parse the rawstring.

parseCsv() Examples

Parse String as CSV

Parse a CSV-encoded field into known columns using parseCsv() function

| parseCsv(result, columns=[count, status,
          completion, precision, sourcetask])

The parseCsv() function can be used to Parse a CSV-encoded field into known columns.

Example incoming data might look like this:

Raw Events
2017-02-22T13:14:01.917+0000 [main thread] INFO statsModule got result="117 ,success ,27% ,3.14"

  1. Starting with the source repository events.

  2. logscale

    Parses the string into key value pairs.

  3. logscale
    | parseCsv(result, columns=[count, status,
              completion, precision, sourcetask])

    CSV parses the result field from a log line (extracted by the kvParse() function) and adds the following fields to the event: count with the value 117, status with the value success, completion with the value 27%, and precision with the value 3.14.

  4. Event Result set.

Summary and Results

The query is used to parse a string as CSV.

Sample output from the incoming example data:

27% 117 3.14 117 ,success ,27% ,3.14 success

Parse String as CSV - Example 2

Parse a CSV-encoded field into known columns using parseCsv() function and trim parameter defined

parseCsv(columns=[status, hosts, rest], trim=true)

The parseCsv() function can be used to Parse a CSV-encoded field into known columns. In this example, the parseCsv() function is used to parse a log line with spaces and quotes and trim the output. Trimming the output is done by setting the trim parameter to true. When true and using quotes with trim, the spaces inside the quotes are not removed, but the quotes may come after spaces.

Example incoming data might look like this:

117, ", ", 3.14

  1. Starting with the source repository events.

  2. logscale
    parseCsv(columns=[status, hosts, rest], trim=true)

    CSV parses the columns field from a log line and adds the following fields to the event: status with the value 117, , hosts with the value ", \", rest with the value 3.14".

  3. Event Result set.

Summary and Results

The query is used to parse a string as CSV.

Note that if you use quotes with trim the behavior is as follows:

  • When trim set to true, spaces around the separation character (for example a comma) are ignored, but retained within quoted columns. For example:

    117 , ", " , 3.14

    Would identify three columns:

    117,", ",3.14

    Retaining the spaces at the beginning and end of a quoted column.

  • Without trim (trim=false), the spaces around the character separated would be included in the values. For example:

    117 , ", " , 3.14

    Would identify the following three columns, as the quotation mark after the space does not start a quoted value, which means that the ',' between the two host names is interpreted as a separator:

    117 , ",  "

    In the preceding example, there are spaces after and before columns due to the spaces around the comma separator.