When building dashboards, my approach is generally as follows:
- Create the required queries.
- Add the queries to a simple XML dashboard. Use the GUI tools to tweak the dashboard as much as possible. If possible, finish all graphical changes at this stage.
- If form elements are needed, convert the simple XML dashboard to a form. If possible, make all logic work with simple XML.
- Convert the simple XML dashboard to an advanced XML dashboard. There is no reverse conversion possible, so this should be done as late as possible and only if needed.
- Edit the advanced XML dashboard accordingly.
The idea is to take advantage of the Splunk GUI tools as much as possible, letting the simple XML conversion process add all of the advanced XML that you would otherwise have to find yourself. We covered steps 1-3 in the previous chapters. Step 4 is covered in the Converting...