Splunk Search

How do i use R (open source package) in splunk?


How do i use R (open source package) in splunk?

Tags (1)


I've created an Splunk R app. It's really in a very early status so don't use it in production environment.

Description from http://apps.splunk.com/app/1735/:

This app provides a new Splunk search
language command 'r' that allows
passing data from Splunk to the
R-Engine for calculation and then
passing results back to Splunk for
further computation or visualization.

Overview Image

The app is open source: https://github.com/rfsp/r.

Please feel free to contribute. Please provide feedback, questions and suggestions!

Splunk Employee
Splunk Employee


Saw this several weeks back, neat R sample idea that could be pertinent. http://flowingdata.com/2010/01/21/how-to-make-a-heatmap-a-quick-and-easy-solution/

0 Karma

Ultra Champion

You can potentially use Java or Python bindings for R to utilize the Splunk SDK's.



I think you need to define your goals much more precisely, but lguinn is on the right track. Making the general request of "How do I use X with Y?" when both X and Y have a myriad of possible uses is difficult to answer. As an example, "How do I use flour with eggs?" Well, are you wanting to make a cake, some bread, a batter, pie crust, pancakes, waffles, or what?

Let's assume you have some R code that you wish to run against data stored in Splunk. Depending on how you want to "integrate" the two, this could mean one of (at least) two paths.

  1. You could use R programs as custom search commands in Splunk. There would be some effort here to bridge the gap between Splunk's supported Python/Perl search command interfaces and your R code. But, it's a bridgeable gap. Your R program would receive (essentially) csv on input, do whatever it is you want it to do, and emit csv on output. The Splunkweb GUI would still be present, and your commands written using R could be intermixed with existing Splunk search operations. These results of these could be placed on dashboard panels, used in alerts, etc...
  2. You could make a standalone R program that uses Splunk data via an existing Splunk API. A quick (10 minute) reading of the R documentation and a googling on "R REST" shows that R has some API's already for accessing remote REST endpoints and interpreting XML coming back from them. This may give you a leaping-off point to writing a Splunk SDK for R - but it would be a nontrivial task. This would be using Splunk almost exclusively as a datastore - you would need to provide your own visualizations and user interface.


You can't use a programming language to manipulate Splunk data directly. However, you could use the Splunk API to run searches and then retrieve the results.

Correction: you don't have to write R code that calls the Splunk API, although that is probably one way to go.

Others have pointed out a variety of ways that I didn't consider, such as writing custom commands.

Someday I am gonna learn never to say "you can't do that."

Path Finder

Actually, Splunk supports both Python and Perl for full scriptable control of data on the search pipeline:


There's also the less robust script command in the search API that can be used to call a script.

Splunk Employee
Splunk Employee

You probably have to more specific than this.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...