All Apps and Add-ons

XML to Advanced XML and SIDEVIEW


I am about to embark on a dashboard conversion where professional guidance is welcome. I am going to convert my very large standard XML dashboard with about 25 panels into advanced XML and then add a time-range selector.

Current Planned Steps:

  1. Convert to advanced XML
  2. Keep scheduled searches because they are also used for alerts: Will sideview have a problem with that?
  3. Once the dashboard is converted a Time range selector is required: `All of my scheduled-searches are set to search earliest=-2h@h latest=now. timecharts are set for span=2m. If someone changes the time range selector to a day can span=2m be changed to span=12m automatically so the chart resolution stays the same?


1) Converting from Simple XML to "Sideview XML".

I advise avoiding the "simple xml to advanced xml" conversion method that splunk provides, because the advanced XML you will end up with is the core Splunk advanced XML with core Splunk modules and as such the XML is extremely long and nested and complex and you'll have to throw most of that away to convert it to Sideview XML. It's far easier to just manually convert the simple XML blocks to their Sideview XML equivalents.

And I do apologize for not yet having a "simple XML to Sideview XML" converter tool.

However, manually converting a block of simple xml panels to Sideview XML is not actually very difficult once you have read at least the first couple documentation pages within the Sideview Utils app. For instance a chart block, at its core would translate as:

<module name="SavedSearch">
  <param name="name">Your Saved Search Name Here</param>

  <module name="ValueSetter">
    <param name="arg.charting.chart">bar</param>

    <module name="JSChart" />

2) Scheduled Search concerns:

Sideview XML has no problem dealing with scheduled searches. You can use either Splunk's HiddenSavedSearch module or Sideview's SavedSearch module (the Sideview module's primary benefit is that it can unpack saved visualization settings from searches that were saved from a sideview-style report builder view, but if you dont have any of those in your app then the modules are basically interchangeable)

3) Timechart span
My recommendation is a little weird -- rather than specify span=2m at all, specify the bins argument to timechart instead. Bins gives timechart a number of time buckets that it is not to exceed, but timechart will try and pick a bucket size so as to come as close as possible to that ceiling. Thus if you play around with bins, you will find a bins number that ends up producing buckets that are 2 minutes long. The benefit of this is that no matter what timerange over which the savedsearch might be manually run later, it will always generate approximately the same number of buckets.

However, many people have asked this same question, such that I wrote up a way to do it a while back. It is very strange in that it involves stitching in an extra Search and an advanced module called "ResultsValueSetter", but it can provide very fine-grained control over what span arguments are used for what timerange lengths.

0 Karma


I've been messing with bins but i cannot get a 2m span. only 5 mins or 1 min. Maybe its the way this installation of splunk is configured?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...