Canary

 

For anyone who just wants a lot more technical detail

Canary is an app that you install into Splunk, that implements its own extensible user interface and dashboarding system. Canary and other apps can thus contain views authored in the Sideview XML or in the new Canary YAML, and Canary’s systems can render those views in those apps as interactive user interfaces for Splunk’s end users. It has been in development for many years. It is a descendant of Sideview Utils but whereas Sideview Utils ran on top of Splunk’s “Advanced XML” systems, Canary does not. Canary’s only dependencies on Splunk technology are:

  1. When you “go to” a view using the Canary UI, you are going to a custom “scripttype=persist” endpoint in Splunk. The code that responds to your browser’s request and returns the HTML to it is implemented by that handler within the Canary app (The URL that you go to also specifies the app and the view that you are ‘going to’).
  2. It also relies on the fact that Splunkweb serves static JS and CSS files from the /static/app/$app$ URL’s, so that the HTML can load the Canary CSS and JS.
  3. If you go to its pages in your browser, it will use your Splunk session token to kick off searches in the Splunk Search API, and to talk to other endpoints in the Splunk REST API, just like Splunk’s more familiar user interface systems do.

Canary does not contain, import or rely in any way on any Splunk code from the Splunk’s old “Advanced XML” systems.

What’s missing or not built yet in the current version?

Canary makes no attempt to duplicate the functionality of the Admin section aka “Settings”. There is no general-purpose search or reporting view at this time (although those will come). There is no replacement yet for the Sideview Editor so if you’re brave enough to try making custom dashboards you’ll be editing XML or yaml by hand like a caveman.

How much of the ‘Advanced XML’ content out there will run in Canary

This is a good question. We don’t know. Almost certainly less than half of all “Advanced XML” out there in the world will run without any modification.

  • If you have only ever copied and pasted sample config from Sideview Utils documentation, the view has a good chance of running fine.
  • If you mixed and matched a lot of obsolete Splunk modules… it depends but there is a mapping from some obsolete modules to Canary modules, and in some cases it will even rewrite params a bit for you, so they still make sense.
  • Down from that if you use any totally obsolete Splunk modules, or if your view relies on a lot of “custom behavior” written in Javascript, you will certainly have some conversion work to do. However Canary *should* give you a list of errors, warns, and these try to be informative so that that developers can potentially work through them one by one.

What is it built in?

Basically just ES6. There are no larger frameworks like React or Angular or Backbone here. It’s itself. It does use RequireJS and JQuery heavily. There are a couple places that use some JQueryUI widgetry. For its client side charting it uses Chart.js. It uses some Mako although not nearly as much as Sideview Utils did, and this may well be eliminated in a future release.

We (Rich + Nick) will be at the Splunk User Conference!
We won’t have a booth there this year, however we will both be floating around the “Ask The Experts” area and we should be relatively easy to find in the Community areas overall.  For more info (which we’ll try to keep up to date), see this blog post on conf19.

Nick will also be giving two talks. Note that neither of these talks is about Canary or even Sideview, but come anyway because they’re interesting.
1) Master Joining without using join
2) Wayback machine – Driving around in Splunk 1.0, 2.0 and 3.4