Hi,
we just installed the App Template for Citrix XenDesktop 7 to do some monitoring of our Citrix environment. We do have two Broker and about 120 VDA..
For the first test the Broker add-on was deployed to the two brokers, and the VDA app was deployed to one VDA.
After a while we did start to receive some data, but it looks like something does not work as it should and maybe someone of you guys can assist here a bit.
When I click through the dashboards, the following do not have any data, or data seems to be missing:
xd_index
sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one result
I hope someone can tell me what is goind wrong here and provide some help. When I search for ERROR in the splunkd logs everything is OK, no errors found.
Thanks a lot for the assistance.
UPDATE: In the meantime I found out that there is a similar issue like for the session searches when I run this search: xd_index
sourcetype=xendesktop:*:application
Hi,
First of all thanks a lot for you respone. Let me clarify some things here.
When I run the search
`xd_index` sourcetype="xendesktop:*:session" ApplicationsInUse!=""
I do not receive any result, but when I remove the filter ApplicationsInUse!="" I do get a lot of results, which of course make sense. But I think this is may be cause by the fact of the missing field seperation, which I wanted to tell you, as I see it, the problem here is that one splunk line does contain MANY data, so in the first line (which represents the first user) the ApplicationInUse field is empty, but in some of the following lines, the data there is not empty. Unfortunatly one respone line is so large, that I cannot fit it into a screenshot, but here is an example:
Hope you do now see the point here.
Next point regarding the missing user information, the add-on is now running for 4 days. But nothing changed here.
Next point when I rebuild the calendar usage lookup file, there is no data, I just see a message "No results found"
Regarding the time format issue, I am not sure where this needs to be changed? I did no change at any powershell script nor the app or any dashboard/searches.
Last but not least, the searchmode is set to "Smart" - so no idea what is going wrong here.
Really hope you can help to resolve those issues.
Thanks!
I'll try to address your questions one-by-one:
Popular Applications is populated by a session search - specifically, it looks at the "ApplicationsInUse" field. Here is the root of the popular applications search:
`xd_index` sourcetype="xendesktop:*:session" ApplicationsInUse!=""
Site Details is populated by a site search. In other words, "popular applications" tells you which applications users use in their session. "Site details" tells you which applications are published in your site.
Looking at your first screen shot, all the ApplicationsInUse fields are empty. This can happen when a user just launches a desktop and not a published application.
All of this data comes from the broker add-on, so you should be seeing more. How long have you been running this add-on?
This data is generated by a saved search that populates a lookup. You can manually run the search by going to Help -> Rebuild Lookup Files -> Update Calendar usage Report
This looks like a time formatting issue for Start Time. In your data, the time format is dot-separated (%m.%d.%Y %H:%M:%S %Z). The search expects slash-separated (%m/%d/%Y %H:%M:%S %Z). Here is the relevant part:
convert timeformat="%m/%d/%Y %H:%M:%S %Z" mktime(StartTime)
This would need to be changed to:
convert timeformat="%m.%d.%Y %H:%M:%S GMT" mktime(StartTime)
But, the add-on should have formatted the StartTime field though. Here is an excerpt from the add-on's PowerShell script:
if($Key -eq "StartTime") {
$Value = "{0:MM/dd/yyyy HH:mm:ss} GMT" -f ([datetime]$Value).ToUniversalTime();
}
Did you modify the add-on's PowerShell script?
The Application(s) part makes use of the "ApplicationsInUse" field discussed above.
This dashboard uses the "ApplicationsInUse" field mostly.
This may be caused by a lookup for for Site Name. The data for this dashboard does not contain a site name, so an automatic lookup is utilized to populate a Site Name. The lookup file for this automatic lookup is generated from a saved search. You can regenerate this file by going to Help -> Rebuild Lookup Files -> Rebuild Machine to Site Lookup File
xd_index
sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one resultI am unable to tell from your screenshot, but it looks like the search mode is "Fast". Try changing it to "Smart"
After I did some more research, I think my main issue is this point:
xd_index
sourcetype=xendesktop::session SiteName=""" I do receive a lot of results, but what seems weird to me is that no field extraction seems to happen, also one result block is containing more then one resultAs you can see in my screenshot in the main post.. this seems also causing that there is no "application data" etc, because all those blocks represent a seperate user with seperate applications and the app cannot handle that because everything is one large field.
But not sure how that can be fixed.