The parse_csv function splits a comma-separated values (CSV) string into an array of strings. Use this function to parse CSV-formatted log entries, configuration values, or any comma-delimited data into individual values for analysis.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use rex or the split function to parse CSV. APL's parse_csv provides proper CSV parsing with quote handling.
['sample-http-logs']
| extend values = parse_csv(field_name)In ANSI SQL, parsing CSV requires string splitting functions that vary by database. APL's parse_csv provides standardized CSV parsing.
['sample-http-logs']
| extend values = parse_csv(field_name)Usage
Syntax
parse_csv(csv_text)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| csv_text | string | Yes | A string containing comma-separated values to parse. |
Returns
Returns a string array containing the individual values from the CSV string. Properly handles quoted values and escaped characters.
Use case examples
Parse comma-separated status codes or error types from log messages.
Query
['sample-http-logs']
| extend status_list = parse_csv('200,201,204,304')
| extend is_success = status in (status_list)
| summarize request_count = count() by is_success, status
| sort by request_count desc
| limit 10Output
| is_success | status | request_count |
|---|---|---|
| true | 200 | 8765 |
| false | 404 | 2341 |
| false | 500 | 1234 |
| true | 304 | 987 |
This query parses a CSV list of success status codes and categorizes requests accordingly.
Parse comma-separated service lists from trace attributes or configuration.
Query
['otel-demo-traces']
| extend service_list = parse_csv('frontend,checkout,cart')
| extend is_monitored = ['service.name'] in (service_list)
| summarize span_count = count() by ['service.name'], is_monitored
| sort by span_count desc
| limit 10Output
| service.name | is_monitored | span_count |
|---|---|---|
| frontend | true | 4532 |
| checkout | true | 3421 |
| cart | true | 2987 |
| product-catalog | false | 2341 |
This query parses a CSV list of monitored services and identifies which services are included in the monitoring scope.
Parse comma-separated allowlists or blocklists for security rule evaluation.
Query
['sample-http-logs']
| extend blocked_ips = parse_csv('192.168.1.100,10.0.0.25,172.16.0.50')
| extend simulated_ip = '192.168.1.100'
| extend is_blocked = simulated_ip in (blocked_ips)
| where is_blocked
| summarize blocked_attempts = count() by status, ['geo.country']
| sort by blocked_attempts desc
| limit 10Output
| status | geo.country | blocked_attempts |
|---|---|---|
| 403 | Unknown | 234 |
| 401 | Russia | 123 |
This query parses a CSV blocklist and identifies requests from blocked IP addresses for security monitoring.
List of related functions
- split: Splits strings by any delimiter. Use this when working with non-CSV delimiters or when quote handling is not needed.
- parse_json: Parses JSON strings into dynamic objects. Use this when working with JSON arrays rather than CSV.
- strcat_delim: Concatenates strings with delimiters. Use this to create CSV strings from individual values.
- extract_all: Extracts multiple regex matches. Use this for more complex parsing patterns beyond CSV.