Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

uberAgent

Citrix CVAD Sessions per Data Center

  • by Helge Klein
  • October 26, 2015

One of the many cool things about uberAgent and Splunk is the ease with which you can extend the product and create your own reports. Splunk’s powerful search and report language is up to almost any conceivable task.

Session Count per Data Center

Many companies distribute their Citrix XenApp servers across two data centers. During normal operations sessions are balanced evenly between both data centers. If one data center goes down there is still 50% of the total capacity available. Much better than a total loss.

To check if the sessions are in fact balanced evenly we need to calculate the number of sessions per data center. We can do that with the following Splunk search:

index=uberagent sourcetype=uberAgent:Session:SessionDetail 
  earliest=-1m@m latest=now
  SessionID > 0
| eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2")
| timechart span=1m partial=false dc(SessionGUID) by datacenter

Note: HOSTREGEX needs to be adjusted to your environment so that it matches the hostnames of those machines that are located in datacenter 1 (details below).

Splunk Search Walkthrough

How does that work? Let’s walk through the steps one by one:

index=uberagent sourcetype=uberAgent:Session:SessionDetail

Above snippet selects uberAgent’s index (data container) and the sourcetype (event category) that contains session information. The complete list of uberAgent’s sourcetypes can be found here, by the way.

earliest=-1m@m latest=now

In the next snippet (above) we select the time range of the events we want to see. We are interested in the last full minute of data. We get it by setting the earliest timestamp to start at the full minute (@m) and ignoring data from the current minute that is not yet fully complete (later with partial=false).

SessionID > 0

We are not interested in the services sessions (session zero). We can easily get rid of those by only including events with a session ID higher than zero.

| eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2")

The second command (eval) in the search pipeline creates a new field datacenter with the help of a regular expression and an if condition. We try to match each event’s hostname against a regular expression. “(?i)” specifies case insensitive matching. If the hostname matches, the field datacenter gets the value DC1, otherwise it gets the value DC2. Those two strings can be changed, of course!

HOSTREGEX must be changed according to the naming scheme used in your organization. If, for example, all machines located in datacenter 1 have a name that ends in _dc1 above snippet should be changed to:

| eval datacenter = if(match(host, "(?i).*_dc1"), "DC1", "DC2")
| timechart span=1m partial=false dc(SessionGUID) by datacenter

The third command (timechart) in the search pipeline performs a distinct count (dc) of all session GUIDs per datacenter. Yes, here we use the new field created in the previous step. Session GUIDs are generated by uberAgent to make it easy to count distinct sessions and track individual sessions over time. That is not possible with Windows session IDs as those are reused.

Refinement: Active Sessions Only

The search shown above returns all user sessions. If you are interested in a subset only, e.g. active sessions, simply add a condition to the search:

index=uberagent sourcetype=uberAgent:Session:SessionDetail 
  earliest=-1m@m latest=now 
  SessionID > 0
  SessionConnectionState = "active"
| eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2")
| timechart span=1m partial=false dc(SessionGUID) by datacenter

What If You Are Not Using Citrix?

We have used Citrix XenApp in this article because of its popularity, but the searches presented here work just as well with Microsoft Remote Desktop Services (RDS) and VMware Horizon.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *