When building dashboards, my approach is generally as follows:
- Create the needed queries.
- Add the queries to a simple XML dashboard. Use the GUI tools to tweak the dashboard as much as possible. Finish all graphical changes at this stage, if possible.
- Convert the simple XML dashboard to a form if form elements are needed. Make all logic work with simple XML if possible.
- Convert the simple XML dashboard to an advanced XML dashboard. There is no reverse conversion possible, so this should be done as late as possible, and only if needed.
- Edit the advanced XML dashboard accordingly.
The idea is to take advantage of the Splunk GUI tools as much as possible, letting the simple XML conversion process add all of the advanced XML that you ...