By Splunk February 07, 2013
With the release of Splunk 5.0, the Simple XML language we use to define the dashboards and forms for an app was greatly extended. So, we were given a challenge – could a reasonably complex app, such as the Splunk App for Microsoft Exchange – be represented using only Simple XML?
Most apps that are developed outside of the point and click interface use Advanced XML. This is a more complex definition language that allows for flexibility and extensibility – things that are generally important. Modules such as Google Maps and Sideview Utils rely on this extensibility to handle complex cases outside the bounds of the core language.
Simple XML is, well, simpler, and provides even the newest of Splunk professionals the ability and opportunity to develop an interesting set of dashboards for Splunk. However, as a result of providing this simplification, the extensibility is sacrificed. Generally, this is a good thing. It makes app development more accessible. Seasoned veterans of Splunk app development can always move to Advanced XML later on, and particularly complex views can be written in Advanced XML while leaving the bulk of the app in Simple XML.
App development got a boost in Splunk 5.0 with the addition of two important features – Report Acceleration and native PDF Generation. However, these are only available when developing apps in Simple XML. In addition, when the dashboard is written in Simple XML, you – the Splunk Administrator – can edit the dashboard using the web-based dashboard editor.
So, how did we do with the Splunk App for Microsoft Exchange? It is one of the larger apps, having over 150 panels over 50 views. I’m happy to say that of all the panels that were developed in Advanced XML, only one could not be converted and used in Simple XML. That one? That’s the one that uses an extension of Advanced XML allowing you to visualize your data using a Google Maps view.
While we were doing this, we also implemented new routines to support the Windows performance gathering that was introduced in Splunk 5.0, and we added new functionality to support additional features in Microsoft Exchange 2013 and Windows Server 2012.
This does mean that you need to be running Splunk v5.0.2 on your search heads, or central Splunk instance, and that you need to be running Splunk Universal Forwarder v5.0.2 on your Microsoft Exchange servers. We’ve gone to some length to ensure the data dictionary doesn’t change, however, so you can upgrade the search head independently from the Exchange hosts.
I encourage you to download Splunk App for Microsoft Exchange and let us know what you think, what you would improve, and what you would change.