One of the many cool things about uberAgent and Splunk is the ease with which you can extend the product and create your own reports. Splunk’s powerful search and report language is up to almost any conceivable task.
Session Count per Data Center
Many companies distribute their Citrix XenApp servers across two data centers. During normal operations sessions are balanced evenly between both data centers. If one data center goes down there is still 50% of the total capacity available. Much better than a total loss.
To check if the sessions are in fact balanced evenly we need to calculate the number of sessions per data center. We can do that with the following Splunk search:
index=uberagent sourcetype=uberAgent:Session:SessionDetail earliest=-1m@m latest=now SessionID > 0 | eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2") | timechart span=1m partial=false dc(SessionGUID) by datacenter
Note: HOSTREGEX needs to be adjusted to your environment so that it matches the hostnames of those machines that are located in datacenter 1 (details below).
Splunk Search Walkthrough
How does that work? Let’s walk through the steps one by one:
Above snippet selects uberAgent’s index (data container) and the sourcetype (event category) that contains session information. The complete list of uberAgent’s sourcetypes can be found here, by the way.
In the next snippet (above) we select the time range of the events we want to see. We are interested in the last full minute of data. We get it by setting the earliest timestamp to start at the full minute (“@m”) and ignoring data from the current minute that is not yet fully complete (later with “partial=false”).
SessionID > 0
We are not interested in the services sessions (session zero). We can easily get rid of those by only including events with a session ID higher than zero.
| eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2")
The second command (eval) in the search pipeline creates a new field datacenter with the help of a regular expression and an if condition. We try to match each event’s hostname against a regular expression. “(?i)” specifies case insensitive matching. If the hostname matches, the field datacenter gets the value “DC1”, otherwise it gets the value “DC2”. Those two strings can be changed, of course!
HOSTREGEX must be changed according to the naming scheme used in your organization. If, for example, all machines located in datacenter 1 have a name that ends in “_dc1” above snippet should be changed to:
| eval datacenter = if(match(host, "(?i).*_dc1"), "DC1", "DC2")
| timechart span=1m partial=false dc(SessionGUID) by datacenter
The third command (timechart) in the search pipeline performs a distinct count (“dc”) of all session GUIDs per datacenter. Yes, here we use the new field created in the previous step. Session GUIDs are generated by uberAgent to make it easy to count distinct sessions and track individual sessions over time. That is not possible with Windows session IDs as those are reused.
Refinement: Active Sessions Only
The search shown above returns all user sessions. If you are interested in a subset only, e.g. active sessions, simply add a condition to the search:
index=uberagent sourcetype=uberAgent:Session:SessionDetail earliest=-1m@m latest=now SessionID > 0 SessionConnectionState = "active" | eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2") | timechart span=1m partial=false dc(SessionGUID) by datacenter
What If You Are Not Using Citrix?
We have used Citrix XenApp in this article because of its popularity, but the searches presented here work just as well with Microsoft Remote Desktop Services (RDS) and VMware Horizon.