The example provided by SPLUNK for an R script uses the addr.r script that does not use SPLUNK search results. Can you provide a very simple example of a R script that ingests SPLUNK search results and passes them to the script and displays the result?
I used Splunk search to feed FFT here: http://answers.splunk.com/answer_link/149675/.
A really basic test to understand input from Splunk is to run
| r "output=input"
input
is a data frame composed of your search results as well as some Splunk implicit fields. (Data frame is the biggest revelation to me, thanks to @rfujara_splunk.) All fields are prefixed with "X". For example, X_time
is Splunk _time
, X_span
is Splunk _span
if you used timechart
or bucket
; if your search outputs a field host
, R sees it as Xhost
.
output is the data frame to send back to Splunk. Each component name is used as a field name by Splunk.