1

I heavy use SPLUNK and SPLUK Rest API. Most of the time this works fine. The SPUNK query language is easy to use also for non developer. I use R next to SPLUNK to develop advanced analysis packages to test software robustness. I want to mix both.

Is there any R package or R software that is accept and process SPLUNK queries? If no, need someone this functionality in R too?

Mirko Ebert
  • 1,349
  • 1
  • 18
  • 36
  • 1
    It might be better to add R to the [Splunk search pipeline](https://apps.splunk.com/app/1735/), but you can easily use the `httr` package to work with Splunk's [REST API](http://dev.splunk.com/view/SP-CAAADQT). – hrbrmstr Oct 28 '14 at 11:55

1 Answers1

6

Update 2018:

  • the source code has been removed from github
  • the app has been removed from splunkbase

I do not know of a good way of using Splunk in R outside of using the rest api.

Original post:

Yes ! There is a Splunk app for that exact purpose.

It is called R Project.

Using it is really easy.

| r "output = data.frame(Name=c('A','B','C'),Value=c(1,2,3))"

... or just the name of a R script file that is uploaded to the app:

| r myscript.r

Input comes in as input and you need you direct your results to output to get them back into Splunk.

  1. Download the App
  2. Add the path to your R bin in $SPLUNK_HOME/etc/apps/r/default/r.conf e.g. r=/usr/bin/R
  3. Pipe to R in your search command like this:

| r "exp(mean(log(data.matrix(input)))) -> output"

Here is a slightly more complicated example:

sourcetype=ps earliest=-4m
| multikv fields RSZ_KB
| search RSZ_KB > 0 AND VSZ_KB > 0
| table RSZ_KB VSZ_KB
| r "
gm_mean = function(x, na.rm=TRUE){
  exp(sum(log(x[x > 0]), na.rm=na.rm) / length(x))
}
data <- data.matrix(input);
output <- apply(data, 2, gm_mean)"

provides

x
132.902175678696
34188.4285350717
metasyn
  • 194
  • 1
  • 8