Canary | Tech Questions

For Anyone Who Just Wants a Lot More Technical Detail

Canary is an app that you install into Splunk that implements its own extensible user interface and dashboarding system. Canary and other apps can thus contain views authored in the Sideview XML or in the new Canary XML or YAML, and Canary’s systems can render those views in those apps as interactive user interfaces for Splunk’s end users. It has been in development for many years. It is a descendant of Sideview Utils, but whereas Sideview Utils ran on top of Splunk’s Advanced XML” systems, Canary does not. Canary’s only dependencies on Splunk technology are:

  1. When you go to” a view using the Canary UI, you are going to a custom scripttype=persist” endpoint in Splunk. The code that responds to your browser’s request and returns the HTML to it is implemented by that handler within the Canary app (The URL that you go to also specifies the app and the view that you are going to’).
  2. It also relies on the fact that Splunkweb serves static JS and CSS files from the /static/app/$app$ URL’s so that the HTML can load the Canary CSS and JS.
  3. If you go to its pages in your browser, it will use your Splunk session token to kick off searches in the Splunk Search API, and to talk to other endpoints in the Splunk REST API, just like Splunk’s more familiar user interface systems do.

Canary does not contain, import, or rely in any way on any Splunk code from Splunk’s old Advanced XML” systems.

What’s missing or not built yet in the current version?

Canary makes no attempt to duplicate the functionality of the Admin section aka Settings.” There is also no general-purpose search or reporting view at this time (although those will come).

How much of the Advanced XML’ content out there will run in Canary?

This is a good question and one that’s hard to give a definite answer to. Almost certainly less than half of all Advanced XML” out there in the world will run without any modification.


  • If you have only ever copied and pasted sample config from Sideview Utils documentation, the view has a good chance of running fine.
  • If you mixed and matched a lot of obsolete Splunk modules: it depends, but there is a mapping from some obsolete modules to Canary modules, and in some cases, it will even rewrite params a bit for you so they still make sense.
  • Down from that, if you use any totally obsolete Splunk modules, or if your view relies on a lot of custom behavior” written in Javascript, you will certainly have some conversion work to do. However, Canary *should* give you a list of errors and warnings, and these try to be informative so that developers can potentially work through them one by one.

What is it built in?

Basically just ES6. There are no larger frameworks like React or Angular or Backbone here. It’s itself. It does use RequireJS and JQuery heavily. There are a couple of places that use some JQueryUI widgetry. For its client-side charting, it uses Chart.js. It uses some Mako, although not nearly as much as Sideview Utils did, and this may well be eliminated in a future release.