I used Splunk search to feed FFT here: http://answers.splunk.com/answer_link/149675/. A really basic test to understand input from Splunk is to run | r "output=input" input is a data frame composed of your search results as well as some Splunk implicit fields. (Data frame is the biggest revelation to me, thanks to @rfujara_splunk.) All fields are prefixed with "X". For example, X_time is Splunk _time , X_span is Splunk _span if you used timechart or bucket ; if your search outputs a field host , R sees it as Xhost . output is the data frame to send back to Splunk. Each component name is used as a field name by Splunk. ... View more

and in a strange irony, the CASE command is case-sensitive ... View more