Blog

(Image: Salvatore Vuono / FreeDigitalPhotos.net)

This is hopefully the first in a series of posts dealing with the joys of developing dashboards and apps in Splunk.  In this post, I’d like to highlight different development options and introduce SideView Utils.

The Case for Dashboards

Organizations use Splunk in a variety of ways.  Uses range from monitoring a specific application to gaining enterprise-wide insight into their operations.  Insight can be gained on a variety of areas, ranging from health of IT infrastructure to business intelligence.  Splunk is great at gathering machine data from many sources, including web servers, applications, and network devices.  However, this data is only useful if it can be presented in a simple, easy to understand, and powerful way.  The starting point for gaining this insight is using Splunk’s Search app and search language to slice and transform the data into something useful.  This ad hoc-type searching is great for custom searches and for users knowledgeable in Splunk’s search language.  However, a more ideal situation would be for any user in the organization to navigate to a web-based application and see data in a powerful visual representation.  Enter dashboards.

Dashboard Development Options

Dashboards in Splunk aim to present complex search queries on varying-sized datasets in an intuitive and (hopefully) enlightening way.  Users can view data in a variety of formats such as pie charts, line graphs, and heat maps. Like in other aspects of Splunk, there is a variety of ways to accomplish a task varying in degrees of time/effort to execute and level of customization available.  Dashboard development is no different.  Here’s a list of ways one can create a dashboard:

1.  Splunk’s Visualization Editor. This is new in version 4.3 which was released recently.  This feature definitely deserves a blog post or two on its own, but in a nutshell basically allows a user to create a dashboard using a web UI.  The advantages to this method is speed of creation and accessibilty for users.  Because of the UI, it prevents users from having to delve into XML.  However, there may be a need more for customization in dashboard, which may not be available through the Visualization Editor.  If necessary, views created with the Visualization Editor are available for introspection and modification in basic XML through the Splunk Manager.
2. Basic XML.  Using Splunk's basic xml framework, a user can add more customization to the dashboard.  One approach to dashboard development may be a combination of using the Visual Editor and modifying Splunk's basic XML.
3. Advanced XML.  This is the Cadillac of app development for Splunk.  Using Advanced XML, one has immense control over the functionality and customization of a dashboard.  However, with this power comes a price.  One has to learn about the mysteries of "Intentions" and "Converting to Intentions"  (Which are basically a way to use variables in one part of a dashboard to drive searches and data manipulation in other areas).  Although not impenetrable, this can pose some challenges to someone new to Splunk development and increases the learning curve.