Analyze Splunk Data in R

Access Splunk data with pure R script and standard SQL. You can use the CData ODBC Driver for Splunk and the RODBC package to work with remote Splunk data in R. By using the CData Driver, you are leveraging a driver written for industry-proven standards to access your data in the popular, open-source R language. This article shows how to use the driver to execute SQL queries to Splunk data and visualize Splunk data in R.

Install R

You can complement the driver's performance gains from multi-threading and managed code by running the multithreaded Microsoft R Open or by running R linked with the BLAS/LAPACK libraries. This article uses Microsoft R Open (MRO).

Connect to Splunk as an ODBC Data Source

Information for connecting to Splunk follows, along with different instructions for configuring a DSN in Windows and Linux environments.

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

When you configure the DSN, you may also want to set the Max Rows connection property. This will limit the number of rows returned, which is especially helpful for improving performance when designing reports and visualizations.

Windows

If you have not already, first specify connection properties in an ODBC DSN (data source name). This is the last step of the driver installation. You can use the Microsoft ODBC Data Source Administrator to create and configure ODBC DSNs.

Linux

If you are installing the CData ODBC Driver for Splunk in a Linux environment, the driver installation predefines a system DSN. You can modify the DSN by editing the system data sources file (/etc/odbc.ini) and defining the required connection properties.

/etc/odbc.ini

For specific information on using these configuration files, please refer to the help documentation (installed and found online).

Load the RODBC Package

To use the driver, download the RODBC package. In RStudio, click Tools -> Install Packages and enter RODBC in the Packages box.

After installing the RODBC package, the following line loads the package:

Note: This article uses RODBC version 1.3-12. Using Microsoft R Open, you can test with the same version, using the checkpoint capabilities of Microsoft's MRAN repository. The checkpoint command enables you to install packages from a snapshot of the CRAN repository, hosted on the MRAN repository. The snapshot taken Jan. 1, 2016 contains version 1.3-12.

Connect to Splunk Data as an ODBC Data Source

You can connect to a DSN in R with the following line:

Schema Discovery

The driver models Splunk APIs as relational tables, views, and stored procedures. Use the following line to retrieve the list of tables:

Execute SQL Queries

Use the sqlQuery function to execute any SQL query supported by the Splunk API.

You can view the results in a data viewer window with the following command:

Plot Splunk Data

You can now analyze Splunk data with any of the data visualization packages available in the CRAN repository. You can create simple bar plots with the built-in bar plot function: