I am trying to do a statistical analysis using F-Test, and T-Test in Splunk with RProject to get p values. (No longer available on Splunk apps, but available on github)
My sample query looks like this
index=pqr host=xyz* NOT TYPE="*ABCDE*" | fields X, Y |timechart limit=0 span=10m count, avg(X) by Y | r " input = data . . . calculations . .
FT <- function(FT){
out <- tryCatch(var.test(FT ~ ABCD, data = mydata, conf.level = 0.95)$p.value, error = function(e) NA)
return(out)
}
Fpvalue <- data.frame(apply(mydata[-1], 2, FT))
output =Fpvalue"
This is the output I'm getting on splunk , which is all NA's
But the code when I am running on RStudio is giving me actual results(see below):
I cannot figure out why I am getting the NA's.
How do I fix this? Because later I use the results of the Ftest to arrive at other results. Thanks.
Could I do the F test above using Splunk's Search Processing Language?
[2]: /storage/temp/73176-screen-shot-2015-11-12-at-50718-pm.pngsplunk-enterprisestatisticsrprojectThu, 19 Nov 2015 00:04:04 GMTm_vivek[Splunk + R] How do I dynamically rename the column name of results obtained from running an R script on a splunk query?
I have a splunk + R query :
index=abcd host=pqrs* earliest=07/01/2015:00:0:0 latest=07/02/2015:01:0:0 | fields DUR, TYPE | timechart limit=0 span=10m count, avg(DUR) by TYPE | eval dataset=1 | append[index=abcd host=pqrs* earliest=07/03/2015:00:0:0 latest=07/04/2015:01:0:0 | fields DUR, TYPE | timechart limit=0 span=10m count, avg(DUR) by TYPE | eval dataset=2] | r " data= input
output = my_output"
the output looks like this :
**Q.1**
This kind of output is looked at every two weeks. How do I rename the columns so that they also display a proper name along with the date range chosen in the query in **Splunk**?
Ex: I want the **Count.Pre** column to look like **Count 07/01 to 07/02** ,
and **Count.post** as **Count 07/03 to 07/04** and similarly for the other columns whose results are dependent on the date.
(I know renaming columns can be done it in multiple ways using R)
**Q.2** How do I do it dynamically? i.e if the date range in the query is changed the names of the columns in the results should also reflect the same change mentioned above.
[1]: /storage/temp/65173-screen-shot-2015-10-12-at-122945-pm.pngsplunk-enterprisedynamicrrenamingrprojectMon, 12 Oct 2015 19:46:32 GMTm_vivekR Project: How to address this error "command="r", argument "no" is missing, with no default"?
I am working with RProject in Splunk.
I have a dataframe on which I do basic **t tests** and **f test** and based on its results, I output certain results.
After I run:
df.stats$Mean.Result1 <- ifelse(df.stats$t.test.equal > 0.05 & df.stats$f.test > 0.05, "Equal", "")
I get this:
But after I run:
df.stats$Mean.Result1 <- ifelse(df.stats$t.test.equal > 0.05 & df.stats$f.test > 0.05, "Equal", "")
df.stats$Mean.Result2 <- ifelse(df.stats$t.test.equal <= 0.05 & df.stats$f.test > 0.05 & df.stats$Mean.Diff < 0, "Slower", "")
output=df.stats"
I get:
command="r", argument "no" is missing, with no default
I have no idea what this means.
When code 1 is working, why is the second piece throwing that error?
How do I resolve it?
After piping data from Splunk into R with the help of the RProject, I am doing some basic stuff on it, and at one point, the final dataframe **df.stats** looks like
a b c
1 2 3
3 4 na
na 2 7
5 na 7
When I do:
df.stats <- df.stats[complete.cases(df.stats), ]
output=df.stats"
I get "No results found"
But the same line in RStudio is showing me actual results.
How do I address it? is there any alternative to `complete.cases()` that I can make use of?
[1]: /storage/temp/63204-screen-shot-2015-10-05-at-104330-am.pngsplunk-enterpriserrprojectMon, 05 Oct 2015 17:46:50 GMTm_vivekWhy is R in Splunk giving me a ' trying to coerce a function to a dataframe' error?
I am using the R Project with splunk.
My query goes something like
index= abcd host= pqrs NOT host=aacd NOT host = ppwqrs | fields DUR, TYPE | timechart limit=0 span=10m count, avg(DUR) by TYPE | r " data= input
avg.calls.day <- function(calls){
total.calls <- sum(calls)
out <- total.calls/ndays
return(out)
}
output = avg.calls.day"
> But it keeps throwing me this error
command="r", cannot coerce class ""function"" to a data.frame.
Why am i getting this error and how do I resolve it?splunk-enterprisefunctionrprojectsplunkappsFri, 25 Sep 2015 21:40:14 GMTm_vivekHow to perform spectrum analysis?
I do not see FFT or other Fourier transform functions. If I must use an external script, I need the output to be searchable, as a summary index or something. How do I do that?analysisrprojectspectrumfftTue, 29 Jul 2014 00:49:51 GMTyuanliuHow to run R code from some other apps
I tried running a script file which i had uploaded on R Project and it is working fine. Now how do or what changes or settings are required to run "|r myscript.r" from other apps in splunk.
Any documentation on same will be highly appreciated.splunkdevelopmentrrprojectThu, 10 Jul 2014 13:29:33 GMTharshal_chakranarayanmaxresultrows not working for | search ... | stats count
I'm the developer of the [R Project][1] app and currently working on issue [#13][2].
When executing this...
index=_internal | r "output=data.frame(count=nrow(input))"
... it returns a *count* column with one row containing the number of events that are passed from the search (which is implicitly a *search* command) to the *r* command. But it's limited to the *maxresultrows* setting.
Based on what I see [limits.conf][3] documentation, **that's the expected behaviour**.
However, when executing this...
index=_internal | stats count
.. it returns the actual event count (**which is not limited!**), to me **that's an unexpected behaviour**.
Why is the number of search results not limited when passing piping the events to a stats command?
[1]: http://apps.splunk.com/app/1735/
[2]: https://github.com/rfsp/r/issues/13
[3]: http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Limitsconfcountlimits.conflimitsrrprojectFri, 27 Jun 2014 10:11:09 GMTrfujara_splunkHow to plot in Splunk using R Project
Can any one help me to get the plot from R on Splunk
Below is the code, when i run on R along with the output on R
X<-C(1,2,3,4,5,6)
plot (x)
Now how do i use R Project on splunk to execute this sample code from splunk and get the plots on splunk.
Any help on this will be highly appreciated.developmentanalyticsrprojectThu, 26 Jun 2014 12:24:22 GMTharshal_chakranarayanCannot display the Plot from R on splunk
I have integrated "r" (splunk app) with R and i am trying to run the following script
beta_binom<-function(n,y,a=1,b=1,main="")
{
#likelihood: y|theta~binom(n,theta)
#prior: theta~beta(a,b)
#posterior: theta|y~beta(a+y,n-y+b)
theta<-seq(0.001,0.999,0.001)
prior<-dbeta(theta,a,b)
if(n>0){likelihood<-dbinom(rep(y,length(theta)),n,theta)}
if(n>0){posterior<-dbeta(theta,a+y,n-y+b)}
#standardize!
prior<-prior/sum(prior)
if(n>0){likelihood<-likelihood/sum(likelihood)}
if(n>0){posterior<-posterior/sum(posterior)}
ylim<-c(0,max(prior))
if(n>0){ylim<-c(0,max(c(prior,likelihood,posterior)))}
plot(theta,prior,type="l",lty=2,xlab="theta",ylab="",main=main,ylim=ylim)
if(n>0){lines(theta,likelihood,lty=3)}
if(n>0){lines(theta,posterior,lty=1,lwd=2)}
legend("topright",c("prior","likelihood","posterior"),
lty=c(2,3,1),lwd=c(1,1,2),inset=0.01,cex=.5)
}
The plot is working fine on R , but we are unable to figure how to get the plot on Splunk via 'r' splunk app.
We executed the following command on splunk after uploading the above script using the example given on the app
| r "
source('trial1.r')
result = beta_binom(4,2,5,10,"")
output = data.frame(Result=c(result))
"
and we got following output
