Canary is an app that you install into Splunk, that implements its own extensible user interface and dashboarding system. Canary and other apps can thus contain views authored in the Sideview XML or in the new Canary YAML, and Canary’s systems can render those views in those apps as interactive user interfaces for Splunk’s end users. It has been in development since approximately 2013. It is a descendant of Sideview Utils but whereas Sideview Utils ran on top of Splunk’s “Advanced XML” systems, Canary does not. Canary’s only dependencies on Splunk technology are:

1. When you the user “go to” a view using the Canary UI, you are going to a custom scripttype=persist endpoint in Splunk. The code that responds to your browser’s request and returns the HTML to it, is implemented by that handler within the Canary app. (The URL also generally includes what view in which app, you would like it to render for you. )
2. It relies on the fact that Splunkweb serves static JS and CSS files from the /static/app/$app$ URL’s.
3. If you go to its pages in your browser, it will use your Splunk session token to kick off searches in the Splunk Search API, and to talk to other endpoints in the Splunk REST API, just like Splunk’s more familiar user interface systems do.

That’s it. Everything else is inside Canary itself – It is mostly proprietary code developed by Sideview, but there are certainly some open source libraries used for some specific pieces.

Questions that might get asked frequently as time goes on:

Should I care about this?

If you’re a Splunk admin who owns a lot of legacy Sideview XML dashboards, definitely. If you’re a customer of any commercial Sideview Apps, definitely. If you’re a Splunk App developer, maybe. If you’re just a regular Splunk user, it doesn’t have any general purpose search and reporting UI yet so… probably not yet.

What? Why did you do this? Why not use HTML dashboards or Simple XML extensions?

The Simple XML is great but far too limited for app development. Extending the Simple XML is certainly very possible and many people have built many amazing extensions. However there have been stories that maintenance of complex extensions gets tricky as things underneath you change in major Splunk releases. As for Splunk’s HTML dashboard systems, those are very powerful but using them to build commercial apps amounts to building tons of page-specific logic in raw JS source code, which becomes very challenging to maintain.

The Canary is also crazy fast…

What is it built in?

Basically just ES6. There are no larger frameworks like React or Angular or Backbone here. It’s itself. It does use RequireJS and JQuery heavily. There are a couple places that use some JQueryUI widgetry. For its client side charting it uses Chart.js. It uses some Mako although not nearly as much as Sideview Utils did, and this may well be eliminated in a future release.

Will it be free to use?

This isn’t final but it’s likely that if/when it is publicly available it will have some kind of freemium model, so “probably yes kinda”.

What’s missing or not built yet in the current version?

it makes no attempt to duplicate the functionality of the Admin section aka “Settings”. There is no general-purpose search or reporting view at this time (although those will come). There is no replacement yet for the Sideview Editor so if you’re brave enough to try making custom dashboards you’ll be editing XML or yaml by hand like a caveman.

Does it contain any actual code from Splunk’s Advanced XML systems or license any code from them?

No. All of the pieces that comprise Canary, aside from the little open source libaries therein, were developed from scratch starting in about 2013. The modules were for the most part ported from Sideview Utils, and the process of building a brand new UI from scratch to meaningfully run the fairly complex and mature codebase that comprised the Sideview UI modules was extremely long and painful.

Any and all feedback is welcome

No amount of detail is too large. Use our Contact page, or come find us on the Splunk Slack – @madscient_sideview and @richfez_sideview.

If you want to ask a tiny question or a huge question both are great. If you want to send 126 Advanced XML views and ask us if they will run in Canary, you can do that. If you want to try it out yourself, we’ll be letting people do this to some extent – ask us. If you want to ask us a question that’s answered on this page… um that’s fine too.