The name in the stanza is just my own name to identify the data collection. The reference to perfmon counters is defined in the "counters" and "object" fields under the stanza. I am only using standard counters that are available on Windows - to get a list on a particular server, run the following command in a command window - "typeperf -q". You will see if you run this on a Citrix server, you get more counters than would exist on a plain Windows servers So if I take two example [perfmon://citrix-userCPU] counters = CPU Entitlement; CPU Reservation; CPU Shares; CPU Usage; Long-term CPU Usage instances = * interval = 60 object = Citrix CPU Utilization Mgmt User useEnglishOnly=true mode = multikv showZeroValue = 1 [perfmon://citrix-tssessions] counters = Active Sessions;Inactive Sessions;Total Sessions instances = * interval = 60 object = Terminal Services useEnglishOnly=true mode = multikv showZeroValue = 1 Each perfmon stanza must be in the following format - [perfmon://] Where is your own personal name. In the first stanza, the specific perfmon counter is "Citrix CPU Utilization Mgmt User" - this comes from Xenapp (https://blog.citrix24.com/xenapp-6-5-performance-counters/) In the second stanza, the specific perfmon counter is "Terminal Services" - This is a standard terminal services counter - available on any Windows server using terminal services. I got all of these names by running the typeperf command or looking at the perfmon tool on a server. Any perfmon counter you can collect using native perfmon, you can collect via the Splunk. For example if I run the typeperf command and got the following output for the terminal services object - \Terminal Services\Total Sessions \Terminal Services\Inactive Sessions \Terminal Services\Active Sessions You can see in my second staza above, I am listing these counters under the "Terminal Services" object, I have listed all three, but you can decide which specific counters you actually want to collect. counters = Active Sessions;Inactive Sessions;Total Sessions Finally there is the "instances" field - this just defines whether you collect from a named instance or wildcard (i.e. all instances). In the context of Citrix/TS, we want to collect data from all sessions, so just use the wildcard instance. If you were collecting CPU data, you might just specify the "_total" instance rather than collect CPU data for all individual cores. ... View more

Just to clarify - Splunk forwarders / heavy forwarders can only push data to another Splunk instance - this is explicitly defined in the name "forwarder". They cannot pull data from another Splunk instance. You cannot "pull" data from a heavy forwarder. The only time you use Splunk to "pull" data is in the following scenarios A Splunk instance (forwarder/indexer etc) has an input defined to remotely collect data. For example to monitor a file on a remote share You send a remote command to a Splunk instance to read/write/apply configuration settings. - for example run CLI command or rest API call. However this generally relates to configuration only and not to perform regular data pulls. A splunk search head can point to a remote indexer to perform a remote search and effectively pull the data back to the search head - but the target needs to be an indexer which stores data. So if you want to have data remaining in the DMZ that you can "pull" - you would have to deploy an indexer to store this data in the DMZ, then you use a remote search instance to "pull" results as and when required. ... View more