Well even when this is an old question I struggled about it today.
In my case I found a better way on doing this because it is easier to maintain and to implement in my eyes (I don't wanted to use SED or executing other scripts which would remove comment lines and so on - and btw each external other command or script needs to be maintained and well executed which means time/overhead).
1) this is my csv file:
earliest,latest
c01 first comment line
c02 second comment line
02/05/2014:15:5:0,02/05/2014:16:45:0
2) my search query:
|inputlookup start=2 myabove.csv | return earliest latest
The caveat is that the first line have to contain the column headers or field names in splunk and you need to adjust the start=X when you need more comment lines. In my case I have made 20 comment lines and using 5 atm so I have some reserved 😉
Hint:
"start=2" is correct although the third line of the csv contains the time in the above example.
"start" will count only for events therefore the first line which contains the field names/header will not count. That said the c01 line would be the first, the c02 the second. And then you need to know that Splunk will always use the next line specified in "start=X". So if you would have 20 comment lines and 1 header "start" will be "start=20". (http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Inputlookup)
Maybe that helps others (or me when I struggle again sometime).
Best regards
Thomas
... View more