Citrix CVAD Sessions per Data Center
One of the many cool things about uberAgent and Splunk is the ease with which you can extend the product and create your own reports. Splunk’s powerful search and report language is up to almost any conceivable task.
Many companies distribute their Citrix XenApp servers across two data centers. During normal operations sessions are balanced evenly between both data centers. If one data center goes down there is still 50% of the total capacity available. Much better than a total loss.
To check if the sessions are in fact balanced evenly we need to calculate the number of sessions per data center. We can do that with the following Splunk search:
index=uberagent sourcetype=uberAgent:Session:SessionDetail [email protected] latest=now SessionID > 0 | eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2") | timechart span=1m partial=false dc(SessionGUID) by datacenter
HOSTREGEX needs to be adjusted to your environment so that it matches the hostnames of those machines that are located in datacenter 1 (details below).
How does that work? Let’s walk through the steps one by one:
Above snippet selects uberAgent’s index (data container) and the sourcetype (event category) that contains session information. The complete list of uberAgent’s sourcetypes can be found here, by the way.
[email protected] latest=now
In the next snippet (above) we select the time range of the events we want to see. We are interested in the last full minute of data. We get it by setting the earliest timestamp to start at the full minute (
@m) and ignoring data from the current minute that is not yet fully complete (later with
SessionID > 0
We are not interested in the services sessions (session zero). We can easily get rid of those by only including events with a session ID higher than zero.
| eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2")
The second command (eval) in the search pipeline creates a new field
datacenter with the help of a regular expression and an
if condition. We try to match each event’s hostname against a regular expression. “(?i)” specifies case insensitive matching. If the hostname matches, the field
datacenter gets the value
DC1, otherwise it gets the value
DC2. Those two strings can be changed, of course!
HOSTREGEX must be changed according to the naming scheme used in your organization. If, for example, all machines located in datacenter 1 have a name that ends in
_dc1 above snippet should be changed to:
| eval datacenter = if(match(host, "(?i).*_dc1"), "DC1", "DC2")
| timechart span=1m partial=false dc(SessionGUID) by datacenter
The third command (timechart) in the search pipeline performs a distinct count (
dc) of all session GUIDs per datacenter. Yes, here we use the new field created in the previous step. Session GUIDs are generated by uberAgent to make it easy to count distinct sessions and track individual sessions over time. That is not possible with Windows session IDs as those are reused.
The search shown above returns all user sessions. If you are interested in a subset only, e.g. active sessions, simply add a condition to the search:
index=uberagent sourcetype=uberAgent:Session:SessionDetail [email protected] latest=now SessionID > 0 SessionConnectionState = "active" | eval datacenter = if(match(host, "(?i)HOSTREGEX"), "DC1", "DC2") | timechart span=1m partial=false dc(SessionGUID) by datacenter
We have used Citrix XenApp in this article because of its popularity, but the searches presented here work just as well with Microsoft Remote Desktop Services (RDS) and VMware Horizon.
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product. UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. ESA comes with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.