I am looking for some advice around dashboard creation in Splunk.
I have created basic test dashboards using Sideview and separate dashboards using the Simple XML inside Splunk.
For those experts out there... what would you recommend using to future proof my dashboards?
I find Sideview a lot easier to use, however will Splunk eventually bring this functionality to the core product? If so would migration be easy from Sideview back into Splunk?
Will Sideview be maintained moving forward?
Are there any major advantages / disadvantages between Simple XML and Sideview?
Sideview is certainly still actively maintained. You can always check out our release notes here, and get on the mailing list for future updates here. By our count there are a couple thousand companies using it and the release of new UI features in both Splunk 6.0 and 6.1 has not dented our download numbers. In fact they are a bit up.
There is a lot of uncertainty as to what will happen to the old UI systems, commonly known as "the advanced XML". There's also sometimes a little misinformation. I have talked to a lot of customers who were told that the Advanced XML would be removed in 5.0 or 6.0, or 6.1. Or customers who were told that Sideview Utils would definitely not work in 6.1, and the like (Obviously these were false). I somewhat regularly meet folks who ask me what Sideview will do when the advanced XML is removed in 7.0 and I try to politely disagree.
In Splunk 6.0 and 6.1 they have certainly moved away from that system in the core product and in most of their apps. However a) many of Splunk's own apps continue to run on top of the advanced XML to this day. b) any deprecation or removal of the advanced XML would be over the dead bodies of a significant number of customers. Might Splunk do it anyway? I have no idea. I doubt it. It doesn't really cost them anything because the primary carrier of the support burden on the old system at this point is Sideview itself. there are hundreds of bugs patched and feature gaps filled by Sideview Utils at this point, a contribution that has outstripped the improvements and bugfixes contributed by Splunk.
but it's more complicated than just Simple XML vs Advanced XML. Let's break it down.
a) The simple XML, but only using the dashboard wizard. This is great. It's a lot less limited than it used to be, but it still has limitations. But the technical bits of your brain can focus on the search language, and most of the rest is available in the wizards.
b) the simple XML, but hand-editing the simple XML format. You can do a bit more with this but you lose that dashboard-wizard, visualization-editing awesomeness and now you're hand-editing XML. This layer is kind of a bummer and since ultimately you're still pretty limited, customers in my experience tend to jump to Sideview Utils from here after a short time.
c) The advanced XML, using only core Splunk modules. This is terrible. Nobody uses this and you shouldn't either. If you look on answers, for a long time now the people posting advanced XML questions are all using Sideview Utils modules.
d) the advanced XML but using the Sideview modules instead of the core ones and using the core patches from Sideview Utils. Lots of new features, normalized conventions and systems, less verbose XML syntax. But yes ultimately there are the same really weird things and the XML hierarchy is still there, and you have to read the Sideview Utils docs page "Introduction to the Advanced XML" to understand it and to thrive. And you're editing XML - You can use the Sideview Editor, which is a fully featured authoring system for the Sideview views although many people do still choose to hand-edit the XML.
As for how to enumerate the advantages, that is hard. Certainly if you play with the Splunk 6.1 dashboard wizard you come away thinking it's totally awesome and it'll be totally sufficient. But if you actually make dashboards for a day or a week you'll still hit limitations.
Going the other way, let's say you go through Sideview Utils, specifically through the 60+ documentation and examples pages and through the params and features of all the Sideview Utils modules, as you're going through ask yourself how many of those features can be accomplished with the dashboard wizard. The answer is actually not very many.
Nick, I was just about to write you an email asking you about this very issue.
And I have to say I share your opinion that there will be an uproar from customers if they remove advanced XML. Most of my complex dashboards use it in a production environment. We are talking about a large amount of business transactions being monitored which would stop suddenly. I don't think my company would take this lightly.
Furthermore, I am curious, what is the major (it's gotta be major!) advantage that prompted Splunk to move to HTML dashboards? (specially after they got all their customers on the XML bandwagon)