All Apps and Add-ons

Some data missing / field extraction

MERBAG
Explorer

Hi,

we just installed the App Template for Citrix XenDesktop 7 to do some monitoring of our Citrix environment. We do have two Broker and about 120 VDA..

For the first test the Broker add-on was deployed to the two brokers, and the VDA app was deployed to one VDA.

After a while we did start to receive some data, but it looks like something does not work as it should and maybe someone of you guys can assist here a bit.

When I click through the dashboards, the following do not have any data, or data seems to be missing:

  • Environment Overview -> "Popular Applications" does not find any data, the application info in the "Site Details" does show 102 applications
  • Environment Overview -> "Users by Site" here I can see between 2 and 4 users, but the CTX farm is hosting around 800 users
  • Usage Calendar -> Does not show any data
  • User Activity -> just shows a few users, but only the fields "User Name", "Machine Name", "IP Address" and "Client Version" do contain data, the fields Start Time, Session Duration and Application(s) are empty
  • Applications Overview -> does not contain any data
  • Installed Software by Application Name -> does not contain any data
  • When I run the search "xd_index sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one result

alt text

I hope someone can tell me what is goind wrong here and provide some help. When I search for ERROR in the splunkd logs everything is OK, no errors found.

Thanks a lot for the assistance.

UPDATE: In the meantime I found out that there is a similar issue like for the session searches when I run this search: xd_index sourcetype=xendesktop:*:application
alt text

0 Karma

MERBAG
Explorer

Hi,

First of all thanks a lot for you respone. Let me clarify some things here.

When I run the search

`xd_index` sourcetype="xendesktop:*:session" ApplicationsInUse!=""

I do not receive any result, but when I remove the filter ApplicationsInUse!="" I do get a lot of results, which of course make sense. But I think this is may be cause by the fact of the missing field seperation, which I wanted to tell you, as I see it, the problem here is that one splunk line does contain MANY data, so in the first line (which represents the first user) the ApplicationInUse field is empty, but in some of the following lines, the data there is not empty. Unfortunatly one respone line is so large, that I cannot fit it into a screenshot, but here is an example:
alt text
alt text

Hope you do now see the point here.

Next point regarding the missing user information, the add-on is now running for 4 days. But nothing changed here.

Next point when I rebuild the calendar usage lookup file, there is no data, I just see a message "No results found"

Regarding the time format issue, I am not sure where this needs to be changed? I did no change at any powershell script nor the app or any dashboard/searches.

Last but not least, the searchmode is set to "Smart" - so no idea what is going wrong here.

Really hope you can help to resolve those issues.

Thanks!

0 Karma

jconger
Splunk Employee
Splunk Employee

I'll try to address your questions one-by-one:

  • Environment Overview -> "Popular Applications" does not find any data, the application info in the "Site Details" does show 102 applications

Popular Applications is populated by a session search - specifically, it looks at the "ApplicationsInUse" field. Here is the root of the popular applications search:

`xd_index` sourcetype="xendesktop:*:session" ApplicationsInUse!=""

Site Details is populated by a site search. In other words, "popular applications" tells you which applications users use in their session. "Site details" tells you which applications are published in your site.

Looking at your first screen shot, all the ApplicationsInUse fields are empty. This can happen when a user just launches a desktop and not a published application.

  • Environment Overview -> "Users by Site" here I can see between 2 and 4 users, but the CTX farm is hosting around 800 users

All of this data comes from the broker add-on, so you should be seeing more. How long have you been running this add-on?

  • Usage Calendar -> Does not show any data

This data is generated by a saved search that populates a lookup. You can manually run the search by going to Help -> Rebuild Lookup Files -> Update Calendar usage Report

  • User Activity -> just shows a few users, but only the fields "User Name", "Machine Name", "IP Address" and "Client Version" do contain data, the fields Start Time, Session Duration and Application(s) are empty

This looks like a time formatting issue for Start Time. In your data, the time format is dot-separated (%m.%d.%Y %H:%M:%S %Z). The search expects slash-separated (%m/%d/%Y %H:%M:%S %Z). Here is the relevant part:

convert timeformat="%m/%d/%Y %H:%M:%S %Z" mktime(StartTime)

This would need to be changed to:

convert timeformat="%m.%d.%Y %H:%M:%S GMT" mktime(StartTime)

But, the add-on should have formatted the StartTime field though. Here is an excerpt from the add-on's PowerShell script:

if($Key -eq "StartTime") {
    $Value = "{0:MM/dd/yyyy HH:mm:ss} GMT" -f ([datetime]$Value).ToUniversalTime();
}

Did you modify the add-on's PowerShell script?

The Application(s) part makes use of the "ApplicationsInUse" field discussed above.

  • Applications Overview -> does not contain any data

This dashboard uses the "ApplicationsInUse" field mostly.

  • Installed Software by Application Name -> does not contain any data

This may be caused by a lookup for for Site Name. The data for this dashboard does not contain a site name, so an automatic lookup is utilized to populate a Site Name. The lookup file for this automatic lookup is generated from a saved search. You can regenerate this file by going to Help -> Rebuild Lookup Files -> Rebuild Machine to Site Lookup File

  • When I run the search "xd_index sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one result

I am unable to tell from your screenshot, but it looks like the search mode is "Fast". Try changing it to "Smart"
alt text

0 Karma

MERBAG
Explorer

After I did some more research, I think my main issue is this point:

  • When I run the search "xd_index sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one result

As you can see in my screenshot in the main post.. this seems also causing that there is no "application data" etc, because all those blocks represent a seperate user with seperate applications and the app cannot handle that because everything is one large field.

But not sure how that can be fixed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...