uberAgent https://uberagent.com Windows, macOS, Citrix & VMware monitoring on Splunk Wed, 27 May 2020 06:23:04 +0000 en-US hourly 1 Visualizing uberAgent Data in Azure Monitor—Part 4: Conclusion https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-4-conclusion/ https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-4-conclusion/#respond Wed, 20 May 2020 11:14:17 +0000 https://uberagent.com/?p=12346 The post Visualizing uberAgent Data in Azure Monitor—Part 4: Conclusion appeared first on uberAgent.

]]>

In this article

Welcome back to our four-part blog series about visualizing uberAgent data in Azure Monitor. So far you have learned the basics about Azure Monitor and the search language Kusto. You created your first Kusto search as well. Also, you learned that none of the built-in visualization options nor Grafana can compete with Splunk. This is part four.

The blog-series is split as follows:

  1. First part: the basics
  2. Second part: comparing the dashboarding capabilities of Azure Monitor and Splunk
  3. Third part: using Grafana with Azure Monitor for uberAgent
  4. Fourth part (this article): conclusion

Searching in Azure Monitor Is Awesome

Azure Monitor’s search language Kusto is fun to work with. It’s intuitive to use, especially if you’ve worked with SQL or Splunk’s SPL before. It’s also very powerful! The only downside we found is that Kusto lacks the ability to use wildcards in comparisons.

Visualisations Could Use Some Work

There are several options for visualizing data in Azure Monitor:

  • Azure Dashboards
  • Azure Monitor Views
  • Workbooks
  • PowerBI

We have looked at all of them in this blog series. Unfortunately, no variant has all the features we need. What one is lacking, the other has. And vice versa.

A promising option comes from outside: Grafana. But not even Grafana provides all the functionality we would like to see in uberAgent dashboards.

Summary: Azure Monitor Visualization Capabilities

The table below illustrates how well the three technologies we examined in detail meet our requirements:

Azure Dashboards Workbooks Grafana
Interactivity No Partly Partly
Filtering No Yes Partly
Powerful charts Partly Yes Yes
Variables and parameters No Yes Yes
Packaging as an app No Partly Yes
JavaScript support No No No

Call Out to Our Partners

The dashboards we ship with uberAgent need to work for all organizations and use cases equally well. Specific requirements from individual customers can certainly be implemented well in Workbooks or Grafana. This is a great opportunity to shine for partners focused on Azure.

The post Visualizing uberAgent Data in Azure Monitor—Part 4: Conclusion appeared first on uberAgent.

]]>
https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-4-conclusion/feed/ 0
Visualizing uberAgent Data in Azure Monitor—Part 3: Grafana https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-3-grafana/ https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-3-grafana/#respond Wed, 13 May 2020 17:39:03 +0000 https://uberagent.com/?p=12320 The post Visualizing uberAgent Data in Azure Monitor—Part 3: Grafana appeared first on uberAgent.

]]>

Welcome back to our four-part blog series about visualizing uberAgent data in Azure Monitor. So far you have learned the basics about Azure Monitor and the search language Kusto. You created your first Kusto search as well. Also, you learned that none of the built-in visualization options can compete with Splunk. This is part three.

The blog-series is split as follows:

  1. First part: the basics
  2. Second part: comparing the dashboarding capabilities of Azure Monitor and Splunk
  3. Third part (this article): using Grafana with Azure Monitor for uberAgent
    • Grafana installation and configuration
    • Creating uberAgent’s Machine Performance Dashboard in Grafana
  4. Fourth part: conclusion

What Is Grafana?

Grafana is an open-source analytics and monitoring solution. It connects to your Azure LogAnalytics workspace (or other data sources). That means your data is stored only once, in Azure, and you don’t have to replicate it to Grafana. The Kusto searches are written in Grafana, however. It has auto-complete and everything!

Install Grafana

You can either install Grafana locally in your data center or get it from Azure.

Set Up Grafana Locally

Grafana is available for a variety of operating systems. Choose your preferred. The installation is very well documented. I went with the following to install Grafana on Ubuntu.

# Install
sudo apt-get install -y apt-transport-https
sudo apt-get install -y software-properties-common wget
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/enterprise/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt-get update
sudo apt-get install grafana

# Start service
sudo systemctl daemon-reload
sudo systemctl start grafana-server
sudo systemctl status grafana-server

# Configure the Grafana server to start at boot
sudo systemctl enable grafana-server.service

Set Up Grafana on Azure Through the Azure Marketplace

If you prefer to have everything in Azure you can get Grafana from the Azure Marketplace. The installation is documented by Microsoft.

Configure Grafana

Now it’s time to configure Grafana to connect to your LogAnalytics workspace. First, browse to http://<IP address>:3000 and login with admin as username and password.

Create a Service Principal

Grafana uses an Azure Active Directory service principal to connect to the Azure Monitor APIs and to collect data from your LogAnalytics workspace. Creating a service principal includes a lot of clicking in the Azure Portal. Documenting it here would make this article longer than it already is. Please read this article instead.

Make note of the following for the next step:

  • Directory (tenant) ID
  • Application (client) ID
  • Client secret

Configure The Azure Monitor Data Source

In Grafana browse to Configuration > Data Sources and click on Add data source, and Azure Monitor.

Enter a name and your notes from the last step.

  • Azure Cloud: Azure
  • Directory (tenant) ID: The Directory (tenant) ID you noted while creating the Service Principal
  • Application (client) ID: The Application (client) ID you noted while creating the Service Principal
  • Client Secret: The secret you noted while creating the Service Principal

Click on Load Subscriptions and choose the subscription in which your uberAgent LogAnalytics workspace is located.

Under Azure Log Analytics API Details select Same details as Azure Monitor API and your uberAgent LogAnalytics workspace as default.

Click on Save & Test.

Creating uberAgent’s Machine Performance Dashboard in Grafana

Shall we finally start creating the first dashboard? Let’s!

[caption id="attachment_12377" align="alignnone" width="162"] Machine Performance Dashboard in Splunk. Click to enlarge.[/caption]

Our goal is to copy uberAgent’s Machine Performance Dashboard from Splunk to see what’s possible in Grafana and what’s not. However, documenting everything here would be too much. I will give a few examples instead and share the complete dashboard as a download at the end of this article.

Variables

As mentioned in part two, we want the dashboard to be flexible. We will use dashboard variables in Grafana to add some flexibility.

Click on Dashboard Settings, choose Variables from the menu and click New.

The first variable $Function allows us to choose between averages, counts, etc. in charts. Enter the following:

  • Name: Function
  • Type: Custom
  • Label: Function
  • Values separated by comma: avg,count,max,min,sum,stdev

The second variable $Computer allows us to filter the dashboard to specific computers. By default, we want to see data for every computer. As Kusto doesn’t allow wildcards in comparisons, we have to go with regular expressions.

  • Name: Computer
  • Type: Text box
  • Label: Computer
  • Default value: .*

The First Chart: CPU Usage

The first chart we try to copy is CPU usage (%) per machine (top 10).

  • Click on Add panel and choose Add Query
  • Add the following search in the query editor. Note that we use our two variables by surrounding them with brackets. Also, we make use of the Grafana macro $__timeFilter(TimeGenerated) to take the from and to datetimes from the Grafana time picker.
uberAgent_System_SystemPerformanceSummary2_CL
| where $__timeFilter(TimeGenerated)
| where Computer matches regex '[[Computer]]'
| summarize CPUUsagePercentRaw = [[Function]](CPUUsagePercent_d) by Computer
| extend [[Function]]_CPUUsagePercent=round(CPUUsagePercentRaw, 1)
| order by [[Function]]_CPUUsagePercent
| project Computer, [[Function]]_CPUUsagePercent
  • Change to the visualization tab and choose the Bar Gauge
  • Show: All Values
  • Limit: 10
  • Orientation: Horizontal
  • Mode: Gradient
  • Unfilled: Yes
  • Title: $__cell_0 (another Grafana macro)
  • Unit: percent (0-100)
  • Min: 0
  • Max: 100
  • Decimals: 1
  • Thresholds: No thresholds. Choose green as the color.
  • Go to the general tab and enter the following
  • Title: CPU usage (%) per machine (top 10)
  • Save the dashboard

The result looks promising!

The devil is in the details, though. Variables in Grafana apply to the whole dashboard. We used the dashboard variable $Function for our chart. All other charts must also use this variable, or you must define a variable for each chart. The latter would become confusing quickly, especially for more complex charts where several variables are needed.

In Splunk, we have variables everywhere. Per row, per panel, and even per chart. We make use of this a lot in our Splunk dashboards as it allows changing the aggregation function as well es the field directly in a chart:

Playing With Drilldowns

In part two of this series, I explained why we need drilldowns. Let’s create one in our Grafana dashboard.

Create The Target Dashboard

Of course, the drilldown in our dashboard has to open something. Hence we create the target dashboard first. We call it Single Machine Detail.

  • Create the dashboard
  • Click on Dashboard Settings, choose Variables from the menu and click New
  • Create the variable $Computer
    • Name: Computer
    • Type: Text box
    • Label: Computer
    • Default value: .*

That is already enough for what we want to prove. Note down the URL part after the server name and port until the first question mark. We need that in the next step. For me, it is d/iW9KKOUWz/single-machine-detail.

Create The Drilldown

Go back to the Machine Performance Dashboard.

  • Click on Add panel and choose Add Query
  • Add the following search in the query editor
uberAgent_System_SystemPerformanceSummary2_CL
| where $__timeFilter(TimeGenerated)
| where Computer matches regex '[[Computer]]'
| summarize  
   ["[[Function]]. CPU (%)"] = round([[Function]](CPUUsagePercent_d),1), 
   IOPSRead = [[Function]](IOPSRead_d), 
   IOPSWrite = [[Function]](IOPSWrite_d)
   by Computer
| extend ["[[Function]]. IOPS"] = round(IOPSRead + IOPSWrite,1)
| project-away IOPSRead, IOPSWrite
| order by Computer asc
  • Format As: Table
  • Change to the visualization tab and choose the Table
    • Table Transform: Table
    • Apply to columns named: Computer
    • Render value as link: True
    • Url: d/iW9KKOUWz/single-machine-detail?var-Computer=${__cell:raw}&amp;from=$__from&amp;to=$__to

What is that URL?

  • d/iW9KKOUWz/single-machine-detail: the part from the URL I noted down before. Of course, the dashboard ID will be different in your case.
  • var-Computer=${__cell:raw}: pass the variable $Computer to the next dashboard with the raw content of the clicked table cell
  • from=$__from: set the dashboard’s timeframe to start at where our current dashboard started
  • from=$__to: set the dashboard’s timeframe to end at where our current dashboard ended

Now when you click on one of the computers in the table the single machine detail dashboard opens and our $Computer variable which we created earlier gets updated successfully.

No In-Page Drilldowns

Unfortunately, drilldowns to new dashboards are the only option in Grafana. While they are needed in some cases, in-page drilldowns are far more elegant and therefore preferred in most cases.

There is no option to show/hide a row/panel/chart depending on a variable, either. That would be needed for in-page drilldowns.

Download The Dashboard

[caption id="attachment_14209" align="alignnone" width="143"] Full dashboard in Grafana. Click to enlarge.[/caption]

Please find the example dashboard as a JSON file here. Before importing, add your directory (tenant) ID as value for the subscription setting.

"queryType": "Azure Log Analytics",
"refId": "A",
"subscription": "Your directory (tenant) ID here"

Grafana: a Conclusion

I enjoyed working with Grafana during my research. Every setting is available in a nice UI, but you can work in JSON or JavaScript if you want to. Sadly, it does not meet all our requirements, either. Here is the full list.

Requirements

  • Interactivity
    • Drill down to new dashboard: yes
    • Drill down on the same dashboard: no
  • Filtering
    • Partly, through variables
    • Filtering based on queries only available for AM Metrics at the moment
  • Powerful charts
    • Good looking: yes
    • Resize and rearrangeable: yes
    • Customizable: yes
    • Different charts: yes
  • Variables and parameters
    • Yes
  • Packaging as an app
    • Yes
  • JavaScript support
    • Only for dashboard creation. No JavaScript framework to manipulate objects on the fly.
    • You can create charts completely in JavaScript as a third-party vendor. That requires a lot of effort, though.

Downsides

There are a few more downsides which are worth mentioning:

  • No Azure integration. You can’t manage dashboards and models through Azure Resource Manager.
  • Cost to support additional Grafana infrastructure or additional cost for Grafana Cloud.
  • Alerting available for the graph chart only.
  • Grafana Enterprise needs a separate license (required for support, access to all plugins, permission management).

The post Visualizing uberAgent Data in Azure Monitor—Part 3: Grafana appeared first on uberAgent.

]]>
https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-3-grafana/feed/ 0
Visualizing uberAgent Data in Azure Monitor—Part 2: AM vs. Splunk https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-2-comparison-with-splunk/ https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-2-comparison-with-splunk/#respond Thu, 07 May 2020 16:24:23 +0000 https://uberagent.com/?p=12306 The post Visualizing uberAgent Data in Azure Monitor—Part 2: AM vs. Splunk appeared first on uberAgent.

]]>

Welcome back to our four-part blog series about visualizing uberAgent data in Azure Monitor. In the first part, you learned the basics about Azure Monitor and the search language Kusto. You created your first Kusto search as well. This here is part two.

The blog-series is split as follows:

  • First part: the basics
  • Second part (this article): comparing the dashboarding capabilities of Azure Monitor and Splunk
    • Azure Dashboards
    • Azure Monitor Views
    • Workbooks
    • PowerBI
  • Third part: using Grafana with Azure Monitor for uberAgent
  • Fourth part: conclusion

Dashboard Requirements

Most backend platforms have visualization components. But we don’t just need “dashboards” for uberAgent. We need a powerful frontend that combines great UX with the ability to visualize billions of events from hundreds of thousands of endpoints.

Azure Monitor (AM) has, in fact, four different dashboarding technologies. Before moving on and elaborating on AM’s capabilities, we’ll define our requirements.

Interactivity

uberAgent collects so much information, it would be overwhelming to see all of it on one page. Hence users should start on an overview page and should then be able to select items like machine or user names to drill down to more tailored views. These detailed views should open in new dashboards or, better yet, in new rows on the existing dashboard (see the animation above).

Filtering

Typically, uberAgent customers have thousands of machines, users, and applications. It is not always useful to see all the assets. Sometimes you only want to look at a subset, like:

  • machines from a certain vendor
  • desktops with Windows 10
  • specific applications

Therefore, a sophisticated filtering mechanism is needed. To give just one example of the many little things we do in our Splunk dashboards: we add or remove filter fields depending on the data shown on the dashboard. A Citrix dashboard, for instance, has other fields to filter by than a GPU dashboard.

Powerful Charts

This sounds obvious, but the charts should be good looking. It should also be possible to place wherever they are needed on the page. Charts should be customizable in terms of color and appearance.

Not every metric should be visualized in a pie chart (actually, none should). Hence we need different chart types and visualizations to choose from.

Variables And Parameters

This requirement is already partly included in the previous points but it is so important that we list it separately. We use variables in Splunk dashboards a lot. We use them per dashboard, per row, per panel, and even per chart. Variables help us to avoid writing redundant code. They also add flexibility to dashboards etc. by letting you choose between a variety of aggregation functions per chart.

Parameters are the secret sauce for flexible dashboards. Take our network communication dashboard as an example. We have variants for machines, applications, and processes. Behind the scenes, though, there is just one dashboard that gets called with different parameters.

Packaging as an App

uberAgent ships with more than 60 Splunk dashboards. Installing the dashboards and their related files should be quick and easy for the customer. That requires some kind of app concept built into the platform.

JavaScript Support

Last but not least: JavaScript. Not everything you see in our Splunk dashboards is available out of the box. However, Splunk comes with a JavaScript framework which we make use of to create what we’re missing. We definitely want that for other backends, too.

Comparing Azure Monitor With Splunk

AM has four visualization options. All four are described by Microsoft with the pros and cons in this article. I recommend working through it before continuing here.

Let’s compare each Azure Monitor dashboarding option with Splunk, based on the requirements laid out above.

Azure Dashboards

Azure Dashboards is probably the easiest way of visualizing data from Azure Monitor Logs. One can save charts powered by Kusto searches on new or existing dashboards with a few clicks. Azure Dashboards are great to get an overview of your environment. The dashboards are static, though. It is not possible to drill down by clicking on a chart.

[caption align="alignnone" width="950"]A simple visualization of uberAgent data built with Azure Dashboards[/caption]

Capabilities

  • Interactivity
    • Drill down to new dashboard: no
    • Drill down on the same dashboard: no
  • Filtering
    • No
  • Powerful charts
    • Good looking: charts are not pretty but good enough
    • Resizeable and rearrangeable: yes
    • Customizable: no (source)
    • Different chart types: quite okay. Bar charts are missing (only column charts are available).
  • Variables and parameters
    • Only for AM Metrics, not for AM Logs. uberAgent requires the latter.
  • Packaging as an app
    • Dashboards can be exported, but not packaged as an app
  • JavaScript support
    • No

Azure Monitor Views

While still accessible in the Azure portal, Azure Monitor Views will be replaced by Workbooks. It makes no sense to rely on outdated technologies, so we will not look at Views any further.

Workbooks

Workbooks are already great and Microsoft is constantly adding new features and enhancements. Here is a short list of its capabilities:

  • Supports both logs and metrics
  • Allows both personal and shared views
  • Custom layout options with tabs, sizing, and scaling controls
  • Support for querying across multiple workspaces, Application Insights applications, and subscriptions
  • Enables custom parameters that dynamically update associated charts and visualizations
  • Template gallery support from public GitHub

I tried to recreate uberAgent’s Machine Performance dashboard in a Workbook and got great results:

[caption align="alignnone" width="1050"]Azure Monitor Workbook dashboard example with filtering and parameters[/caption]

Capabilities

Let’s check the details:

  • Interactivity
    • Drill down to new dashboard: no
    • Drill down on the same dashboard: yes
  • Filtering
  • Powerful charts
    • Good looking: yes
    • Resizeable and rearrangeable: yes
    • Customizable: somewhat; you can choose between color sets (source)
    • Different charts: yes
  • Variables and parameters
    • Yes (source)
    • Parameters are only possible per Workbook or group. In Splunk we have parameters per chart.
  • Packaging as an app
    • Only via Resource Manager templates (source)
  • JavaScript support
    • No

Microsoft states that Workbooks do not have a dense layout like dashboards, which make workbooks less useful as a single pane of glass. Intended more for providing deeper insights. (source). So a combination of Azure Dashboards and Workbooks would be nice. Too bad that Azure Dashboards are not interactive.

PowerBI

We can shorten things here. Queries have to be written in Kusto in Azure, exported to a PowerBI script, and then imported into PowerBI. That process is far too cumbersome to bother our customers with it (we’re selling a UX monitoring product, after all).

Conclusion

Unfortunately, none of the built-in visualization options can compete with what Splunk has to offer. Azure Dashboards are not interactive. Azure Monitor Views will be replaced. While PowerBI is powerful, it’s a mess when used in combination with AM.

Workbooks is the best built-in option at the moment. If you try to recreate Splunk Dashboards in AM Workbooks, you’ll be able to achieve some success, but ultimately fail because of many missing details.

To Be Continued…

If you have read the article from Microsoft about the visualization options that I mentioned earlier, you already know about Grafana—a third-party visualization solution. In the next article in this series, I will explain in detail what Grafana is, how to install and configure it, how to integrate it with Azure Monitor and uberAgent, and how to create a dashboard.

The post Visualizing uberAgent Data in Azure Monitor—Part 2: AM vs. Splunk appeared first on uberAgent.

]]>
https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-2-comparison-with-splunk/feed/ 0
Visualizing uberAgent Data in Azure Monitor—Part 1: Basics https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-i/ https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-i/#respond Thu, 30 Apr 2020 14:51:11 +0000 https://uberagent.com/?p=12301 The post Visualizing uberAgent Data in Azure Monitor—Part 1: Basics appeared first on uberAgent.

]]>

uberAgent ships with more than 60 Splunk dashboards to visualize its comprehensive data set. In addition to Splunk, uberAgent has been supporting Elasticsearch, Kafka, and Azure Monitor as alternative backends for a long time. While the data uberAgent sends to these backends is identical to the data sent to Splunk, we do not provide dashboards.

Why Are There No Dashboards for Elastic, Kafka and Azure Monitor?

Well, the answer we have given over the last years has always been the same, because nothing has changed in the following: Splunk’s visualization capabilities are miles ahead of all other backends!

Why Are We Writing This Article for Azure Monitor?

While we only got few requests for dashboards for the other platforms in the past, we noticed an increased interest in the last few months for uberAgent dashboards for Azure Monitor. And that makes sense. More and more companies are moving to Microsoft 365. And if they weren’t Azure customers before, they are automatically now and keen to explore what to do with that service.

Time to Re-Evaluate Azure Monitor’s Dashboarding Capabilities

In the last weeks we have dealt with the subject in detail and I’m going to publish our findings in a four-part blog series.

The blog-series is split as follows:

  • First part (this article): the basics
    • introduction to the topic
    • how to send uberAgent data to Azure Monitor
    • Kusto vs. SPL
    • the first Kusto search
  • Second part: comparing the dashboarding capabilities of Azure Monitor and Splunk
  • Third part: using Grafana with Azure Monitor for uberAgent
  • Fourth part: conclusion

My Setup

For this blog-series, I worked with the following versions. Your results may differ if you test with other versions.

  • uberAgent 6.0 Beta
  • Splunk Enterprise 8.0.1
  • Grafana 6.6.0
  • There is no Azure Monitor version, as it is a cloud service. I tested with what was available in April 2020.

How to Send uberAgent Data to Azure Monitor

The first step is to have uberAgent data available in Azure Monitor (AM). AM supports two ways of storing data:

  1. Metrics
  2. Logs

uberAgent supports AM Logs only. When I’m writing about AM in this blog-series I’m always referring to AM Logs if not stated otherwise.

How to get data into AM is well described in our docs. I suggest heading over there and reading the article completely before returning here.

The name changed from Microsoft OMS Log Analytics to Azure Log Analytics to Azure Monitor Logs over time. Despite being an older term, one finds Azure Log Analytics still in articles today.

More confusion: the resource in Azure where you store logs is called Log Analytics Workspace.

uberAgent is using Azure’s HTTP Data Collector API to send data to AM. The API is still in preview. This is primarily the reason why the entire uberAgent AM integration is marked with experimental support in our docs.

Kusto vs. SPL

Now that you have uberAgent data in AM, you can search it. But how?

Searching is done in a specific language. Before we start comparing the dashboarding capabilities, we have to look at the search language. If AM’s language would be lacking some important features of Splunk’s, we could stop here.

Splunk developed its own search language SPL, short for Search Processing Language. AM has its own language, too. It’s called Kusto.

Luckily, Microsoft created a nice comparison article. All functions, operators, and filters we are utilizing in our dashboard’s searches are available in Kusto, too. One thing bothers me, though. Kusto is not able to work with wildcards in comparisons. You have to work with regex, which ups the complexity unnecessarily.

While Kusto is quite powerful, AM is lacking some advanced features we are using in Splunk. Saved searches, macros, data models – to name a few. Since these features are missing, we cannot map everything we have in Splunk to AM. For example, we automatically extend all Splunk source types with fields from our machine inventory to be able to filter or group in searches for these fields.

The First Kusto Search

It’s time to create our first Kusto search. Our goal is to list the average CPU usage per machine for the last hour. We only want the top 10.

Search in the uberAgent database and in the table which holds the performance data for machines:

uberAgent_System_SystemPerformanceSummary2_CL

We are only interested in the last hour:

| where TimeGenerated > ago(1h)

Get the average CPU usage per machine:

| summarize CPUUsagePercentRaw = avg(CPUUsagePercent_d) by Computer

We should round that number to make it easier to read:

| extend avg_CPUUsagePercent = round(CPUUsagePercentRaw, 1)

We are only interested in the top 10:

| top 10 by avg_CPUUsagePercent

Output only the machine name and the rounded CPU usage. We don’t need the field CPUUsagePercentRaw in our output:

| project Computer, avg_CPUUsagePercent

The complete search in Kusto:

uberAgent_System_SystemPerformanceSummary2_CL
| where TimeGenerated > ago(1h)
| summarize CPUUsagePercentRaw = avg(CPUUsagePercent_d) by Computer
| extend avg_CPUUsagePercent=round(CPUUsagePercentRaw, 1)
| top 10 by avg_CPUUsagePercent
| project Computer, avg_CPUUsagePercent

If you add | render barchart at the end the result will be shown in a nice chart.

SPL

As a comparison the complete search in SPL:

index=uberagent sourcetype=uberAgent:System:SystemPerformanceSummary2 earliest=-1h
| stats avg(CPUUsagePercent) as CPUUsagePercentRaw by host
| eval avg_CPUUsagePercent=round(CPUUsagePercentRaw, 1)
| sort - avg_CPUUsagePercent limit=10
| fields host, avg_CPUUsagePercent

As you can see, the searches are very similar.

Read On…

That’s it for today. In the next part, I’m going to compare AM’s built-in visualizations with Splunk’s.

The post Visualizing uberAgent Data in Azure Monitor—Part 1: Basics appeared first on uberAgent.

]]>
https://uberagent.com/blog/visualizing-uberagent-data-in-azure-monitor-part-i/feed/ 0
uberAgent 6.0 Beta: Introducing New Levels of Endpoint Visibility https://uberagent.com/blog/uberagent-6-0-beta-introducing-new-levels-of-endpoint-visibility/ https://uberagent.com/blog/uberagent-6-0-beta-introducing-new-levels-of-endpoint-visibility/#respond Thu, 23 Apr 2020 16:12:27 +0000 https://uberagent.com/?p=12719 We are happy to announce the first beta version of our user experience monitoring and endpoint security analytics product. uberAgent 6.0 beta includes the first release of uberAgent ESA (endpoint security analytics) as well as uberAgent UXM for macOS and brings improvements to the current uberAgent UXM for Windows. For a full list of changes,...

The post uberAgent 6.0 Beta: Introducing New Levels of Endpoint Visibility appeared first on uberAgent.

]]>
We are happy to announce the first beta version of our user experience monitoring and endpoint security analytics product. uberAgent 6.0 beta includes the first release of uberAgent ESA (endpoint security analytics) as well as uberAgent UXM for macOS and brings improvements to the current uberAgent UXM for Windows.

For a full list of changes, please consult the release notes.

uberAgent ESA Beta

We are thrilled to release our newest product uberAgent ESA into the public. uberAgent ESA is built on top of the existing uberAgent UXM product which provides rich context and metadata, while uberAgent ESA adds deep security visibility (documentation).

With the combination of ESA and UXM, you need only one agent for user experience, performance, and security. This guarantees the smallest possible footprint on the endpoint. Our technology is based on the famously efficient and reliable uberAgent UXM which has been deployed to enterprises worldwide with up to 300,000 users per organization.

In this first release, uberAgent ESA comes with process tagging and scheduled task monitoring. You can expect many more features in the final version.

Please note that this is a beta release not intended to be used in production.

uberAgent UXM for macOS Preview

Some of the world’s most successful enterprises are using uberAgent’s metrics to improve their users’ experience. Our customers typically start out with uberAgent at one type of endpoint, e.g. Citrix Virtual Apps. Once they see the product’s enormous practical value in their own environment, they often expand and deploy uberAgent to their other types of Windows devices, too: physical, virtual, RDSH, PCs, and laptops.

Many organizations have a certain percentage of Macs. This number could be as low as 5% or as high as 20%, but it is there. As soon as you have fantastic Windows monitoring, you want it for your Macs, too. A single product that spans all relevant platforms in end-user computing, collecting the same high-quality metrics for macOS as it does for Windows.

That is what we have included in this release for preview. Feel free to download, test, and enjoy.

Please note that this is a preview not intended to be used in production.

uberAgent UXM for Windows Beta

Last but not least we are adding features to our current product uberAgent UXM for Windows.

Please note that this is a beta not intended to be used in production.

Better Network Communication Monitoring

uberAgent UXM now ships with a network monitoring driver which enables much more accurate network communication monitoring. In addition, uberAgent now measures jitter and packet loss, too.

Improved Performance

We did a lot under the hood resulting in an even lesser performance utilization for endpoints and Splunk servers than today.

About uberAgent

uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events.

The post uberAgent 6.0 Beta: Introducing New Levels of Endpoint Visibility appeared first on uberAgent.

]]>
https://uberagent.com/blog/uberagent-6-0-beta-introducing-new-levels-of-endpoint-visibility/feed/ 0
Monitoring #WFH & uberAgent Free For Unlimited Users For 2 Months https://uberagent.com/blog/monitoring-wfh-uberagent-free-for-an-unlimited-number-of-users-2-months/ https://uberagent.com/blog/monitoring-wfh-uberagent-free-for-an-unlimited-number-of-users-2-months/#respond Mon, 30 Mar 2020 17:09:04 +0000 https://uberagent.com/?p=12974 The post Monitoring #WFH & uberAgent Free For Unlimited Users For 2 Months appeared first on uberAgent.

]]>

In these unprecedented times, companies are faced with the challenge that the majority of their employees, all of a sudden, have to work from home. This means that technologies such as VPNs or virtual apps & desktops are being pushed to the limit (or even beyond).

Free uberAgent Licenses

We want to do our part to help by making it easy for existing customers to react to usage spikes caused by WFH, and for new customers to evaluate uberAgent in their production environments. Accordingly, we are happy to provide uberAgent UXM free for an unlimited number of users for two months. This offer is valid for everyone, customer, or not. No strings attached. It starts immediately and is currently limited until the end of the year.

Without further ado, here is how to get started:

Existing customers can follow this guide on how to handle multiple license files.

Top 5 #WFH Use Cases Where uberAgent Helps in Minutes

Identifiying Remote Connections

The first step to successfully analyze users and machines connecting remotely is to identify them. uberAgent gives you many filters to fine-tune dashboards to a specific group of users or machines.

Remote Connection Filters

Below is a list of useful filters. Pick the one that is most useful for you.

  • Include only WFH sessions: Client IP is 192.168.*
  • Exclude internal sessions: Client IP isNot 10.1.*
  • View only remoting sessions: Remoting protocol isNot Console
  • View only Citrix sessions: Remoting protocol is ICA
  • Machines in a partical remote site: AD site is MyRemoteSite
  • Machines with a non-corporate IP: IPv4 address(es) is not 10.*

These are just examples, of course, and the filter strings need to be adjusted for your organization.

Troubleshooting Network Issues

Since the employees work from home, the way into the company network via VPN is certainly the first choice for many. The gateway to the corporate network can quickly become a bottleneck. Of course, an employee’s internet connection or home Wi-Fi can also play a role.

In addition, communication paths are different from when employees work in the office. This affects firewall rules.

uberAgent measures the network performance, it detects problems and displays the findings per machine and application.

Good dashboards to start with are:

  • Application Network Communication and Machine Network Communication
  • Application Network Issues and Machine Network Issues
  • Machine Network Configuration

Capacity Planning and Sizing

Your virtual application and desktop infrastructure is well designed and sized, of course! But with all those additional users the load could suddenly be too high.

uberAgent enables you to spot bottlenecks and plan for optimized resource utilization. Sizing virtual environments becomes so easy that you wonder how you did it without uberAgent.

Learn more about sizing and capacity planning with uberAgent.

More Insights For Your Helpdesk

Your helpdesk team is now under pressure supporting all the employees connecting from home. Heck, the helpdesk team itself is working from home. Why not give them more insights into what’s going on in the environment they support?

The uberAgent Helpdesk Splunk App is designed for helpdesk heroes who support virtual or physical desktops and who need quick answers to typical questions like the following:

  • Why is my login so slow? It was fast yesterday.
  • Why is my app constantly crashing?
  • Citrix is slow!
  • The website is not loading fast enough!

General uberAgent Awesomeness in Action

The last point we wanted to share is not a specific point per se, but a list of ten! Head over to this other blog post describing the top 10 issues uberAgent helps identify in minutes.

The post Monitoring #WFH & uberAgent Free For Unlimited Users For 2 Months appeared first on uberAgent.

]]>
https://uberagent.com/blog/monitoring-wfh-uberagent-free-for-an-unlimited-number-of-users-2-months/feed/ 0
vast limits is a Windows Virtual Desktop Partner With uberAgent https://uberagent.com/blog/vast-limits-is-a-windows-virtual-desktop-partner-with-uberagent/ https://uberagent.com/blog/vast-limits-is-a-windows-virtual-desktop-partner-with-uberagent/#respond Fri, 13 Mar 2020 12:45:33 +0000 https://uberagent.com/?p=12615 We are happy to announce that vast limits now is a Windows Virtual Desktop partner with uberAgent. Benefits of the Partnership The WVD partnership demonstrates our commitment to Microsoft. We not only support uberAgent with virtualized applications and desktops, we actively optimize it for that use case. uberAgent’s lightweight agent collects unique metrics without impacting...

The post vast limits is a Windows Virtual Desktop Partner With uberAgent appeared first on uberAgent.

]]>
We are happy to announce that vast limits now is a Windows Virtual Desktop partner with uberAgent.

Benefits of the Partnership

The WVD partnership demonstrates our commitment to Microsoft. We not only support uberAgent with virtualized applications and desktops, we actively optimize it for that use case. uberAgent’s lightweight agent collects unique metrics without impacting user density. This makes it the perfect choice for gaining visibility into your WVD deployment.

About uberAgent

uberAgent is an innovative Windows and macOS user experience monitoring and security analytics product for physical and virtual endpoints. Its UX highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights. On the security side, uberAgent provides deep visibility at a low data volume through its flexible process tagging engine for identifying risky activity with predefined rules for many common threats.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience, and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events.

The post vast limits is a Windows Virtual Desktop Partner With uberAgent appeared first on uberAgent.

]]>
https://uberagent.com/blog/vast-limits-is-a-windows-virtual-desktop-partner-with-uberagent/feed/ 0
Choosing macOS Computer Names Wisely https://uberagent.com/blog/choosing-macos-computer-names-wisely/ https://uberagent.com/blog/choosing-macos-computer-names-wisely/#respond Wed, 15 Jan 2020 15:50:28 +0000 https://uberagent.com/?p=12097 When humans need to identify an object in the digital world, the solution usually turns out to be a name that is “human-readable” and at the same time unique enough to allow for a sufficient amount of non-duplicate names. When it comes to machine names, unfortunately, macOS does not handle this solution very well. At least not by default.

The post Choosing macOS Computer Names Wisely appeared first on uberAgent.

]]>

How do you tell one machine from another?

In the physical world, referring to a specific object may be a simple task where one can resort to the object’s location, to its visual markers like form, color, and labels or to a telling name. In the digital world of bits and bytes, on the other hand, nothing exceeds a unique identifier, especially when it bears the signs of universal (or at least global) uniqueness, which denotes, in essence, a random identifier. While the latter may be an ideal solution from a purely logical perspective, it is not very intuitive in human-machine interaction. That is because humans are not very good at handling random strings of text but rather prefer names that have meaning to them. So, when humans need to identify an object in the digital world, the solution usually turns out to be a name that is “human-readable” and at the same time unique enough to allow for a sufficient amount of non-duplicate names.

When it comes to machine names, unfortunately, macOS does not handle this solution very well. At least not by default.

[caption id="attachment_12132" align="alignnone" width="740"] Permanence (excerpt) by xkcd under CC BY-NC 2.5[/caption]

Apple devices are automatically named after their owner: “Bob’s iPhone”, “Susan’s iMac” and so on. While this seems charmingly simple and may work well in small environments like a family home or a small business, in the context of an enterprise with hundreds or even thousands of workstations the default solution will not “just work”, obviously. As soon as two Susans each have an iMac, both machines will have the same name. Which is bad. Because of that, enterprise IT departments usually follow a naming convention that makes every machine uniquely identifiable. While there is hardly one naming convention that fits all, most of them make use of some of the following factors:

  • User name
  • Department
  • Site
  • Functional role
  • Sequential numbering
  • Serial number
  • MAC address
  • Operating system

Because a user name and especially a department may not be unique enough on their own, it is quite common to combine both factors with each other or with additional factors. Serial numbers and MAC addresses, on the other hand, might be regarded as too verbose, hard to communicate or even as sensitive information.

But whatever naming convention an IT department follows, the inevitable question is: what is the right place to store the machine name on a macOS system?

Computer Name

Indeed, macOS offers several places that may store a machine identifier. Users naturally resort to the computer name that can be easily set via the System Preferences GUI and features prominently in everyday contexts like Network Discovery, AirDrop or iCloud. There is a caveat, though, that every system admin spots from a mile away: the computer name allows spaces and special characters – remember: “Susan’s iMac“. This is rarely acceptable in system administration and allowing it makes the machine name error-prone and therefore not a feasible choice when maintaining enterprise machines.

Luckily, macOS also offers two other options, namely the local hostname and the (regular) hostname. But what is their intended purpose? And which one is suited best?

Local Hostname

Apple explains the local hostname like this:

Your computer’s local hostname, or local network name, is displayed on your local network so others on the network can connect to your Mac. It also identifies your Mac to Bonjour-compatible services.

It also explains how the local hostname is usually constructed:

The local network name is your computer’s name with .local added, and any spaces are replaced with hyphens (-).

And elsewhere:

If your Mac has the exact name of another Mac on your local network, a number is added to the local network name.

Add to these statements that any special characters in the computer name will get replaced by their regular character counterparts or completely stripped and that the length of the local hostname is limited to 64 characters, and you get a serious contestant for the best place to store a machine name.

Hostname

The hostname is the probably oldest facility to name a macOS system with the respective API being part of its FreeBSD heritage. The hostname’s purpose is to simply hold a name for the system and it can easily be looked up by running the hostname command from the terminal. How the hostname is usually determined on macOS, is an entirely different story, though. Searching the Internet for clues turns up exactly one official document which dates back to 2005: The Mac OS X Server 10.4 Worksheet.

This setting causes the server’s host name to be the first name that’s true in this list:
- The name provided by the DHCP or BootP server for the primary IP address
- The first name returned by a reverse DNS (address-to-name) query for the primary IP address
- The local hostname
- The name “localhost”

We never observed “localhost” in our own tests but since the local hostname itself is a derivative as outlined above, the last line should probably read “The computer name“ by now. In case you were wondering what happens if the computer name was not set, that is a really good question which we have no answer for because we never managed to not set it. The System Preferences GUI does not allow an empty text field and the scutil CLI automatically replaces an empty string with the machine’s model name, e.g. “MacBook Pro“.

What’s probably most interesting to a system administrator is the fact that the hostname, unlike the local hostname, is allowed to contain spaces and special characters. That makes the hostname as bad a choice as the computer name to store the machine name. Top that off with more or less unpredictable name changes whenever the machine’s network connection changes, at least when relying on the automatic naming mechanisms, and hostname is definitely out of the game.

Three Names, One Machine

The scutil man page offers the probably most comprehensive description for the three names:

ComputerName  The user-friendly name for the system.
LocalHostName The local (Bonjour) host name.
HostName      The name associated with hostname(1) and gethostname(3).

A Practical Solution

To answer the question from above where the macOS machine name should ideally be stored, the most simple and pragmatic solution is: everywhere. When computer name, local hostname and hostname all match exactly, there will never be a chance for confusion when any of the three names pop up on the network, in log files, in web dashboards or anywhere else.

But wouldn’t it be sufficient to simply set the computer name and let the system handle local hostname and hostname automatically? Even if the computer name did not contain any spaces or special characters, which would at least make the local hostname a match, the system tries to be helpful and automatically adds a DNS domain suffix to the hostname.

So, the practical solution is to set all three names explicitly. The most comprehensive tool that allows to explicitly set the computer name, local hostname and hostname is scutil:

% scutil —-set ComputerName "HAL9000"
% scutil -—set LocalHostName "HAL9000"
% scutil -—set HostName "HAL9000"

What The Network Sees

So you went out of your way and explicitly set the computer name, local hostname, and hostname but you still see your machine lingering on the network under another name? What routers, IP scanners, and non-macOS systems regularly use for identification is the NetBIOS name that can be retrieved over the network similar to Bonjour names. On macOS, the NetBIOS name is derived from the local hostname but of course, it can also be set explicitly in the System Preferences:

System Preferences > Advanced… > WINS > NetBIOS Name

The uberAgent Host Identifier

uberAgent on macOS uses the local hostname as the host identifier when sending data to backends. Since the local hostname does not allow spaces or special characters, it automatically enforces the basic backend requirements for host identifiers. This also allows for automatic host naming which otherwise, using the (regular) hostname, could yield unpredictable results whenever the network connection changed. It also ensures that backends always see the exact same name as an administrator would on the machine, because not uberAgent but the macOS system itself performs the automatic name sanitization if necessary.

The post Choosing macOS Computer Names Wisely appeared first on uberAgent.

]]>
https://uberagent.com/blog/choosing-macos-computer-names-wisely/feed/ 0
uberAgent 5.3.1: Firefox Monitoring Enhancements and General Bug Fixing https://uberagent.com/blog/uberagent-5-3-1-firefox-monitoring-enhancements-and-general-bug-fixing/ https://uberagent.com/blog/uberagent-5-3-1-firefox-monitoring-enhancements-and-general-bug-fixing/#respond Wed, 18 Dec 2019 17:46:47 +0000 https://uberagent.com/?p=11778 We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.3.1 adds enhancement for monitoring web apps in Firefox and brings many other improvements. For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions). Firefox As you might have read...

The post uberAgent 5.3.1: Firefox Monitoring Enhancements and General Bug Fixing appeared first on uberAgent.

]]>
We are happy to announce the newest version of our user experience and application performance monitoring product. uberAgent 5.3.1 adds enhancement for monitoring web apps in Firefox and brings many other improvements.

For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions).

Firefox

As you might have read on our blog, Mozilla enforces showing a consent dialog to users if an add-on collects information about visited URLs, even if the add-on was deployed through Group Policy. This resulted in manual changes and work for administrators. With uberAgent version 5.3.1, everything is automated again.

General Bug Fixing

We made uberAgent even more robust by fixing a few bugs. The complete list can be found here.

About uberAgent

uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drilldowns, process startup duration, application usage metering, browser performance per website and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience and application performance monitoring product. Our customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Our founder, Helge Klein, is an experienced consultant and developer who architected the user profile management product whose successor is now available as Citrix Profile Management. In 2009 Helge received the Citrix Technology Professional (CTP) award, in 2011 he was nominated a Microsoft Most Valuable Professional (MVP), in 2014 he was a Splunk Revolution Award Winner, in 2015 he became a VMware vExpert. Helge frequently presents at conferences and user group events.

The post uberAgent 5.3.1: Firefox Monitoring Enhancements and General Bug Fixing appeared first on uberAgent.

]]>
https://uberagent.com/blog/uberagent-5-3-1-firefox-monitoring-enhancements-and-general-bug-fixing/feed/ 0
New Documentation Portal https://uberagent.com/blog/new-documentation-portal/ https://uberagent.com/blog/new-documentation-portal/#respond Thu, 12 Dec 2019 16:13:06 +0000 https://uberagent.com/?p=11723 The post New Documentation Portal appeared first on uberAgent.

]]>

In the past years, we have invested heavily in our product documentation. The latest result is a new documentation portal that provides access to any article or document that we have on uberAgent.

What’s in the Documentation?

The list of articles hosted in the uberAgent documentation is quite extensive. In addition to obvious installation guides and the such, we have a comprehensive list of all the metrics collected by uberAgent, a knowledge base, as well as a list of practice guides – articles that explain how to solve real-world problems with uberAgent.

vlDocs

When we started planning a modern approach to documentation, we quickly realized that we wanted a system that would support versioning the docs in the same way we version our software, including the ability for customers to switch the docs to the version they have in use. We found inspiration in Splunk’s Ponydocs, a system based on MediaWiki, and looked for a comparable solution for our WordPress site. To our astonishment, nothing of the kind existed. There were simply no decent software product documentation plugins on the market. So we built our own, vlDocs.

Just like Ponydocs, vlDocs has inheritance built-in. If you write an installation guide for your product’s version 1.0, the content of that page is probably not going to change very much when you release 1.1 or 1.2, if at all. That is where inheritance kicks in. In vlDocs, a new version inherits all documents from its parent version by default. You only need to touch the documentation when you actually change how the product works.

If, for example, you change how a feature works in version 2.0 of your product, you branch that feature’s documentation page at version 2.0 of the documentation, and edit the branched copy to reflect the changes in the product. The documentation for later product versions will inherit not from the original, but from the branched page instead.

vlDocs 2.0

Ease of use and quick access to information are of paramount importance for a documentation solution. In this latest version 2.0 of vlDocs, we added several features that improve the overall user experience.

Documentation Portal

The new documentation portal serves as entry point and combines search functionality with quick links to the most important topics and chapters.

Search

Search is available on the portal as well as on every individual documentation page – just look for the magnifier glass symbol in the upper right corner:

By default, a search covers the latest version of all chapters of all products. Optionally, searches can be restricted to individual products or chapters, or specific versions of a product.

Table of Contents

If the screen is wide enough, a table of contents is displayed on the left-hand side. On smaller screens, the table of contents is accessible through a hamburger menu.

Keyboard Navigation

When you open the documentation portal, the keyboard focus is already on the search field and you can start typing your query right away. Search results are fetched dynamically while you type. Navigate the results with the cursor up/down keys and press ENTER to bring up the page you are interested in.

On individual documentation pages, the search overlay can be accessed by typing / (forward slash). Press ESC if you want to get rid of the search overlay.

Breadcrumbs

Every documentation page now has breadcrumbs above the page’s title that allow for yet another type of navigation.

Full-Width Display

The metrics documentation has some tables that can use every pixel of screen real estate. Documentation pages now provide that space by using the available width.

The post New Documentation Portal appeared first on uberAgent.

]]>
https://uberagent.com/blog/new-documentation-portal/feed/ 0