1 Solution
I found the answer to my question. VMWare Horizon can send data to Splunk as Syslog target. You can have your connection servers configured to send logs to Splunk. You can configure a Syslog input and create a VMWare index on port 514. You can then create custom dashboards. I recommend using Splunk universal forwarder dedicated for your Syslog input. You can find more information and an example dashboard in this post. Just create two new dashboards and import the attached xml dashboards.
<form theme="dark">
<label>CONTOSO Horizon View Login Diagnostics</label>
<description>User statistics for you Horizon View farm</description>
<fieldset autoRun="true" submitButton="true">
<input type="time" searchWhenChanged="true" token="tok.time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok.pool">
<label>Pool</label>
<choice value="*">All</choice>
<choice value="*Windows 7">Windows 7</choice>
<choice value="*Windows 10">Windows 10</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>DesktopDisplayName</fieldForLabel>
<fieldForValue>DesktopDisplayName</fieldForValue>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Desktop Event Types Over Time</title>
<chart>
<search>
<query>index=vmware EventType!=Null | timechart count by EventType</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType!=Null | stats count by EventType</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<title>Desktop Logins Over Time</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Desktop Shutdown Over Time</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
<form theme="dark">
<label>CONTOSO Horizon View Login Activity</label>
<description>User statistics for you Horizon View farm</description>
<fieldset autoRun="true" submitButton="true">
<input type="time" searchWhenChanged="false" token="tok.time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok.pool">
<label>Pool</label>
<choice value="*">All</choice>
<choice value="*Windows 7">Windows 7</choice>
<choice value="*Windows 10">Windows 10</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>DesktopDisplayName</fieldForLabel>
<fieldForValue>DesktopDisplayName</fieldForValue>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$| stats count(_raw) as "Total Connections"</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Total Logins</option>
</single>
<single>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats dc(UserDisplayName) as "Total Users"</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Total Users</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Frequent User Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) by UserDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) as Logins, count(UserDisplayName) as Percent by UserDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Frequent Pool Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) as Logins by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Frequent User Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) by MachineName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) as Machines, count(MachineName) as Percent by MachineName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Frequent Connection Managers</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) by host</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) as Logins by host</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
I found the answer to my question. VMWare Horizon can send data to Splunk as Syslog target. You can have your connection servers configured to send logs to Splunk. You can configure a Syslog input and create a VMWare index on port 514. You can then create custom dashboards. I recommend using Splunk universal forwarder dedicated for your Syslog input. You can find more information and an example dashboard in this post. Just create two new dashboards and import the attached xml dashboards.
<form theme="dark">
<label>CONTOSO Horizon View Login Diagnostics</label>
<description>User statistics for you Horizon View farm</description>
<fieldset autoRun="true" submitButton="true">
<input type="time" searchWhenChanged="true" token="tok.time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok.pool">
<label>Pool</label>
<choice value="*">All</choice>
<choice value="*Windows 7">Windows 7</choice>
<choice value="*Windows 10">Windows 10</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>DesktopDisplayName</fieldForLabel>
<fieldForValue>DesktopDisplayName</fieldForValue>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Desktop Event Types Over Time</title>
<chart>
<search>
<query>index=vmware EventType!=Null | timechart count by EventType</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType!=Null | stats count by EventType</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<title>Desktop Logins Over Time</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Desktop Shutdown Over Time</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">bottom</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
<form theme="dark">
<label>CONTOSO Horizon View Login Activity</label>
<description>User statistics for you Horizon View farm</description>
<fieldset autoRun="true" submitButton="true">
<input type="time" searchWhenChanged="false" token="tok.time">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="tok.pool">
<label>Pool</label>
<choice value="*">All</choice>
<choice value="*Windows 7">Windows 7</choice>
<choice value="*Windows 10">Windows 10</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>DesktopDisplayName</fieldForLabel>
<fieldForValue>DesktopDisplayName</fieldForValue>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$tok.time.earliest$ latest=$tok.time.latest$ | stats count by DesktopDisplayName| sort - count |fields - count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<single>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$| stats count(_raw) as "Total Connections"</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Total Logins</option>
</single>
<single>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats dc(UserDisplayName) as "Total Users"</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-24h</option>
<option name="underLabel">Total Users</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Frequent User Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) by UserDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) as Logins, count(UserDisplayName) as Percent by UserDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Frequent Pool Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) as Logins by DesktopDisplayName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Frequent User Logins</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) by MachineName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) as Machines, count(MachineName) as Percent by MachineName</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Frequent Connection Managers</title>
<chart>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) by host</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
<table>
<search>
<query>index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) as Logins by host</query>
<earliest>$tok.time.earliest$</earliest>
<latest>$tok.time.latest$</latest>
</search>
<option name="count">12</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
