Without a point of reference for comparison—a watched and ticking timer or a head-to-head race—most people won’t notice less than 33% difference in the time to complete a familiar task. A typical observer—one not actually timing things—faced with an hour-long task that completed in 40 minutes will think “hey, that seemed fast.” The same observer, waiting for a one second task to complete, will generally start frowning around 1,300ms.
DDC Service Status Splunk Query
Here are the Splunk queries that I use to to find the status of each Citrix XenDesktop service that runs on each DDC server. It is really useful to find all services but with these Splunk queries are break out each XenDesktop service into its own query so you can slice and dice depending on what you are looking for. It speeds things up in Splunk if you can narrow the amount of data you pull in the first place.
DDC Service Status Splunk Query
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAdIdentityService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAnalytics ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixBrokerService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationLogging ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixDelegatedAdmin ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixEnvTest ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixHostService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMachineCreationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMonitor ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixPrivilegedService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixStorefront ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Splunk Queries for Citrix XenDesktop Services
I developed the following Splunk queries to count how many of each XenDesktop service is running in the Citrix Environment. Each query is based upon the Windows Service name and looks for the Start Mode to be AUTO. It will return a count of the service if the service is running or not. You only want to know the count if the service is running that is an easy change to the ‘State’ field value.
The Citrix EUEM service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix EUEM” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Encryption Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Encryption Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Licensing service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Licensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Peer Resolution Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Peer Resolution Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix AD Identity Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAdIdentityService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Analytics service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAnalytics” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Broker Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixBrokerService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Configuration Logging service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationLogging” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Configuration Replication service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationReplication” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Configuration Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Credential Wallet service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCredentialWallet” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix CSE Engine service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCseEngine” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Default Domain Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDefaultDomainService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Delegated Admin service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDelegatedAdmin” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Environment Test service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixEnvTest” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Host Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixHostService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Machine Creation Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMachineCreationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Monitor service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Privileged Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixPrivilegedService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Redirector service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixRedirector” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Service Monitor service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixServiceMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Storefront service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixStorefront” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Subscriptions Store service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixSubscriptionsStore” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Telemetry Service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixTelemetryService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
The Citrix Web Services for Licensing service:
index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixWebServicesforLicensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y
Hyper-V 2016 PowerShell Commands
Here are the PowerShell commands that I found useful when studying for the Windows Server 2016 MCSE. I hope you … Continue reading “Hyper-V 2016 PowerShell Commands”
Here are the PowerShell commands that I found useful when studying for the Windows Server 2016 MCSE. I hope you find them useful. If you do please let me know.
Here is the PowerShell command to create a new Hyper-V virtual hard disk image file.
new-vhd –path c:\filename.vhd|c:\filename.vhdx –fixed|-dynamic|-differencing –sizebytes size [-blocksizebytes blocksize] [-logicalsectorsizebytes 512|4096]
The following command creates a 500 GB fixed VHDX image file with a logical sector size of 4 KB:new-vhd –path c:\diskfile.vhdx –fixed –sizebytes 500gb -logicalsectorsizebytes 4096
To create a VHD set in Windows PowerShell, you use the New-VHD cmdlet, just as you would to create any virtual disk file, except that you use VHDS for the extension of the file you are creating, as in the following example:new-vhd –path c:\diskfile.vhds –dynamic –sizebytes 1tb
To create a differencing disk using Windows PowerShell, you must run the New-VHD cmdlet with the Differencing parameter and the ParentPath parameter, specifying the location of the parent disk, as in the following example:new-vhd –path c:\disks\diffdisk.vhdx –sizebytes 1tb –differencing -parentpath c:\disks\parentdisk.vhdx
You can also mount and dismount a VHD or VHDX file by using the Mount-VHD and
Dismount-VHD PowerShell cmdlets, as in the following examples:mount-vhd -path c:\disks\server1.vhdx
dismount-vhd -path c:\disks\server1.vhdx
To install a Windows role or feature to an offline virtual disk, you add the Vhd parameter
to the Install-WindowsFeature command, as in the following example:
install-windowsfeature -vhd c:\disks\server1.vhdx -name web-server
-includemanagementtools
To compact a virtual hard disk file (mounted as a read-only disk), you use
the Optimize-VHD cmdlet, as in the following example:optimize-vhd -path c:\disks\server1.vhdx -mode full
To convert a virtual hard disk file, you use the Convert-VHD cmdlet, as in the following examples that converts a fixed VHD file to a dynamic VHDX:convert-vhd -path c:\disks\server1.vhd -destinationpath c:\disks\server1.vhdx -vhdtype dynamic
To expand or shrink a virtual disk, you use the Resize-VHD cmdlet with the SizeBytes parameter, as in the following example. The same command can expand or shrink a disk, depending on its original size. To shrink a disk to is smallest possible size, you can add the ToMinimumSize parameter.resize-vhd -path c:\disks\server1.vhdx -sizebytes 500gb
To merge a differencing disk into its parent disk, you use the Merge-VHD cmdlet, as in the following command. If there are multiple generations of child disks involved, merging the youngest child disk into the parent merges all of the intervening child disks as well. merge-vhd -path c:\disks\child.vhdx -destionationpath c:\disks\parent.vhdx
To apply a checkpoint with PowerShell, you use the Restore-VMCheckpoint cmdlet, as in the following example.restore-vmcheckpoint -name checkpoint1 -vmname server1
You can display a list of all the checkpoints for a specific VM, including their names, by using the Get-VMCheckpoint cmdlet.
To modify the checkpointing defaults in PowerShell, you use the Set-VM cmdlet, as in the following example:set-vm -name server1 -checkpointtype standard
To configure these settings with Windows PowerShell, you use the Set-VMHardDiskDrive cmdlet, as in the following example. The ControllerType and ControllerNumber parameters specify which drive to configure, and the MinimumIOPS and MaximumIOPS parameters specify the QoS settings.set-vmharddiskdrive -vmname server1 -controllertype scsi -controllernumber 0 -minimumiops 10 -maximumiops 500
After enabling resource metering on the VM, you can use the Measure-VM
cmdlet to display its current disk usage, as shown in the following examples. The output of the Measure-VM cmdlet is shown in Figure 3-54. After checking the IOPS under workload of the VM, you can zero in on appropriate QoS settings.enable-vmresourcemetering -vmname server1
measure-vm -vmname server1 | fl
To create a network adapter with PowerShell, you use the Add-VMNetworkAdapter cmdlet, as in the following example:add-vmnetworkadapter -vmname server1 -switchname private1
To remove a network adapter with PowerShell, you use the Remove-
VMNetworkAdapter cmdlet, as in the following example:remove-vmnetworkadapter -vmname server1 -vmnetworkadapter nic1
To create a new virtual switch with Windows PowerShell, you use the New-VMSwitch cmdlet,
as in the following examples:new-vmswitch -name lan1 –netadaptername "ethernet 2"
new-vmswitch -name private1 –switchtype private
You can also enable VMQ on a specific adapter by running a PowerShell command like the following:enable-netadaptervmq -name nic1
To discover whether your physical network adapters support VMQ, run the Get-Net-AdapterVmq
cmdlet in a PowerShell window with Administrator privileges. A blank response indicates that your adapters do not support VMQ.
use the Get-NetAdapterVmqQueue cmdlet to see which queues are assigned to which logical processors.
To modify the default VMQ settings, you use the Set-NetAdapterVmq PowerShell cmdlet.
StoreFront Service Status by Splunk Query
Use Splunk to Query StoreFront Service Status
Here are the Splunk Queries I use to find StoreFront Services in the XenDesktop environment. They are specific to each StoreFront service. The last SPL query will pull on the StoreFront services from hosts that you specify. Please let me know what you think and if they help in your XenDesktop environment.
Citrix Configuration Replication Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationReplication” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Credential Wallet Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixCredentialWallet” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Default Domain Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixDefaultDomainService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Peer Resolution Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix Peer Resolution Service” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Service Monitor:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixServiceMonitor” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Privileged Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixPrivilegedService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Subscriptions Store Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixSubscriptionsStore” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Or if you want a single query to return the XenDesktop services status from a list hosts use this SPL Query:
index=”windows” eventtype=hostmon_windows Type=Service host=”StoreFrontServer01″ OR host=”StoreFrontServer02″ OR host=”StoreFrontServer03″ OR host=”StoreFrontServer04″ OR host=”StoreFrontServer05″ OR host=”StoreFrontServer06″ Name=”Citrix*” StartMode=”Auto” State=”*” | sort host, Name, State | table host, Name, State
XenDesktop Error Visualization in Splunk
Citrix XenDesktop Errors Visualized with Splunk
Here are the Splunk Queries I use when I need to create Splunk timechart dashboards to visualize Citrix XenDesktop errors. Try them out and let me know how they work in your environment.
This SPL Query grabs all Citrix related errors:
- All Citrix Errors
index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” error | timechart count(EventCode) by SourceName
This query displays database errors for the last 7 days:
- All Citrix Database Errors (7 Days)
index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” database* | timechart count(EventCode) by SourceName
Here is a query to display all events flagged as “failed” in the event log:
- All Citrix Failures
index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” failed| timechart count(EventCode) by SourceName
It is really not good to have timeouts anywhere in your Citrix XenDesktop environment so here is a timechart query to display when they are happening:
- All Citrix Timeouts
index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” timeout | timechart count(EventCode) by SourceName
Virtual machine events are easily displayed using this timechart query:
- All Citrix Virtual Machine Events
index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” virtual | timechart count(EventCode) by SourceName
Create UEFI Bootable USB Flash Drive
UEFI Bootable Flash Drive Issues
I finally purchased a new laptop and of course it came with Windows Home pre-installed. I want to test out Windows Enterprise so I need to make a bootable USB flash drive with the Windows 10 Enterprise on it. I’ve used RUFUS for years to create bootable USB flash drives so without thinking I let it run with the defaults. Turns out with the new computers the BIOS is set to UEFI as default and the USB flash drive did not boot. After a little research I found information on which settings to use for RUFUS and there is a Microsoft tool specifically for creating UEFI bootable USB flash drives. The links to booth tools are below as well as to some really good how to guides for using both tools.
Microsoft Windows USB/DVD Download Tool
Creating Windows UEFI Boot-Stick in Windows by Thomas Krenn
How to install Windows 10 from USB with UEFI support by Windows Central
Splunk StoreFront Dashboard
Need to create a StoreFront Dashboard in Splunk?
Here is a quick SPL query you can run to gather some basic information on that state of the Citrix XenDesktop services that are running in your environment. If you want to narrow it down to your StoreFront hosts just replace the asterisk in the “host=”*”” with the names of your StoreFront servers or the beginning pattern of the host names for you StoreFront servers.
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix*” StartMode=”Auto” State=”*” | sort Name, State | table host, Name, StartMode, State
Want to know how many of each Citrix service is running across those hosts?
Just add | stats count by Name
Want to know how many Citrix services are running on each host?
Just add | stats count by host
Splunk REGEX for WinEventLog TerminalServices-LocalSessionManager
Splunk REGEX for RDP Session Logs
Ever want to get info on Terminal Services Local Session Manager Operations logs on your Windows servers to see who attempts to RDP into your Windows servers? Well here is a Splunk REGEX Field Extraction to get the RDP session info since Splunk was not able to figure out the field/value pairs on its own. For this REGEX to be useful you need to make sure that you are ingesting the WinEventLog for Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. This Event Log captures all the events around RDP session creation, usage, and tear down. It is useful to tell who logged in using RDP and if any errors occurred during the session from start to finish.
In case you are wondering how I got to the below REGEX it is because Splunk’s REGEX engine has it’s own personality and the other REGEX tools online output “standard” REGEX that Splunk did not like.
WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational : EXTRACT-TSOpsLog_Domain_UserName
^\d+/\d+/(\d+\s+)+\d+:\d+:(\d+\s+)+(\w+\s+)+\w+=\w+\-\w+\-\w+\-\w+/(\w+\s+)+\w+=\w+\-\w+\-\w+\-(\w+\s+)+\w+=(\d+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+=\w+\d+\w+\d+\.\w+\.(\w+\s+)+\w+=\w+_(\w+\s+)+\w+=\w+\-\d+\-\d+\-(\d+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+\.\s+\w+=(\w+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+=(\w+\s+)+\w+:\s+(\w+\s+)+\w+:\s+\w+:\s+(?P\w+\\)(?P\w+)
Splunk Query for Xen Desktop Services
If you have Citrix Xen Desktop in your environment and want to check on which server they are installed and their state use these Splunk queries. It is helpful so that you don’t have to keep an active list of the Xen Desktop servers. You could keep the list of Xen Desktop servers in a lookup but these queries are dynamic which saves you the headache of keeping the lookup current. These Splunk queries are also great if you are spinning up Xen servers on demand.
There is a Splunk query for each Citrix service that runs in a Xen Desktop environment so you can create a display for each one individually if you want.
XAV Server
Citrix Audio Redirection Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxAudioSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Desktop Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”BrokerAgent” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Diagnostic Facility COM Server
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CdfSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Encryption Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix Encryption Service” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix End User Experiencing Monitoring
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix EUEM” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Group Policy Engine
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixCseEngine” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix HDX MediaStream for Flash Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxFlashSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Location and Sensor Virtual Channel Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxSensVcSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Mobile Receiver Virtual Channel Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”MRVCSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Print Manager Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”cpsvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Profile Management
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”ctxProfile” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Pvs for VMs agent
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”PvsVmAgent” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Services Manager
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”ServicesManager” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Smart Card Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxSmartCardSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
Citrix Stack Control Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”StackControlService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State
CitrixTelemetryService
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixTelemetryService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State