Splunk Antivirus Exemptions

Splunk Antivirus Exemptions

splunk anti virus exemptionsThere are 2 main parts of your Splunk environment that will need exemptions from Antivirus software: the hosts that run Splunk and the hosts that run Universal Forwarder. The file locations are different for Windows and Linux. The file paths assume you have installed Splunk to the default location. If your environment required you to install to another directory/location just apply those changes to the paths below. You will also need to check and see if any of the scripts that are run as part of the apps or add-ons that you installed need to be exempted as well. This is the case in my environment and I have to get any file changes exempted before they will run in the production environment. This can get tricky when you are pushing changes to Universal Forwarders and the folders/files are transferred successfully but do not run to return results.

So as of the current release when this was written those are:

Splunk Enterprise on Windows Server

\Program Files\Splunk and all sub-directories
\Program Files\Splunk\var\lib\splunk and all sub-directories

Splunk Universal Forwarder on Windows OS

\Program Files\SplunkUniversalForwarder and all subdirectories

Splunk Enterprise on Linux

/opt/splunk and all sub-directories
/opt/splunk/var/lib/splunk and all sub-directories

Splunk Universal Forwarder on Linux OS

/opt/splunkforwarder and all subdirectories

Files to exclude on Windows


Files to exclude on Linux



Citrix Licensing Services Splunk Query

Find the Status of Citrix Licensing Services with Splunk

Citrix Licensing

During this exercise to get Splunk to ingest data from Citrix and make since of it we came to the Licensing server. We have ours running on a dedicated server; however,  the Splunk queries still search all hosts to keep the queries standard. Also if you ever planned on expanding your Citrix environment later you are covered. There are only 2 services that run on the license server concerned with Citrix: Citrix Licensing and CitrixWebServicesforLicensing.

These Splunk queries will give you a table with with hosts and the state of those 2 services. The dedup statement will prevent the same server from showing up more than once depending on the time frame your Splunk Universal Forwarder gathers data and the time frame your run your query for the dashboard.

index="windows" eventtype=hostmon_windows Type=Service host="*" Name="Citrix Licensing" 
StartMode="Auto" State="*" | dedup host | sort host, State | table host, State
index="windows" eventtype=hostmon_windows Type=Service host="*" Name="CitrixWebServicesforLicensing" 
StartMode="Auto" State="*" | dedup host | sort host, State | table host, State

As always please let me know what you think.

Thank you,
Logan Bingham

Citrix PVS Boot Time Splunk Query

Ever wonder how to get the boot time that Citrix XenDesktop PVS puts in the Windows Application Event Log in a format that you can calculate in Splunk?

I have my Windows Event Logs dumped into index=wineventlog with a sourcetype=WinEventLog:Application. When looking for the PVS bootime you need search for SourceName=StreamProcess. That will give you all the events for Stream Process and all of those events use EventCode=10 EventType=4 Type=Information. Unfortunately the way PVS records the boot time for each VM is in the Message field in the following format: Message=Device VMNAME boot time: X minutes Y seconds.

Here is my attempt that uses REGEX in the query to get the numbers out of the message field and into a table:

index="wineventlog" sourcetype=WinEventLog:Application  SourceName=StreamProcess Message="Device * boot time: * minutes * seconds." | rex field=_raw "(?ms)^\\d+/\\d+/\\d+\\s+\\d+:\\d+:\\d+\\s+\\w+\\s+\\w+=\\w+\\s+\\w+=\\w+\\s+\\w+=\\d+\\s+\\w+=\\d+\\s+\\w+=\\w+\\s+\\w+=\\w+\\d+\\w+\\d+\\.\\w+\\.\\w+\\s+\\w+=\\w+\\s+\\w+=\\w+\\s+\\w+=\\d+\\s+\\w+=\\w+\\s+\\w+=\\w+(?P<PVSDesktopName>\\s+\\w+\\s+)[^:\\n]*:\\s(?P<PVSBootTimeMin>[^\\s]+)\\s+\\w+\\s(?P<PVSBootTimeSec>[^\\s]+)" offset_field=_extracted_fields_bounds | table PVSDesktopName, PVSBootTimeMin, PVSBootTimeSec | sort -PVSBootTimeMin

Now you can work with the numbers to do some math.

index="wineventlog" sourcetype=WinEventLog:Application  SourceName=StreamProcess Message="Device * boot time: * minutes * seconds." | rex field=_raw "(?ms)^\\d+/\\d+/\\d+\\s+\\d+:\\d+:\\d+\\s+\\w+\\s+\\w+=\\w+\\s+\\w+=\\w+\\s+\\w+=\\d+\\s+\\w+=\\d+\\s+\\w+=\\w+\\s+\\w+=\\w+\\d+\\w+\\d+\\.\\w+\\.\\w+\\s+\\w+=\\w+\\s+\\w+=\\w+\\s+\\w+=\\d+\\s+\\w+=\\w+\\s+\\w+=\\w+(?P\\s+\\w+\\s+)[^:\\n]*:\\s(?P[^\\s]+)\\s+\\w+\\s(?P[^\\s]+)" offset_field=_extracted_fields_bounds | eval BootTimeSec=((PVSBootTimeMin*60)+(PVSBootTimeSec)) | table PVSDesktopName, BootTimeSec

Splunk PVS Boot Time In Seconds






Splunk Query Determine NetScaler Load Balanced VIP Status

Determine the status of an individual Load Balanced Service with this Splunk query

When you have your Netscaler load-balancing traffic for a service Splunk is a great way to monitor and report on the status of the load balanced VIP. Now we are talking about the the load balanced VIP resource that is per VIP, not per service or service group.
Netscaler Load Balancing


The index is the index you are using for netscaler data.

The source is stat:lbserver and the sourcetype is citrix:netscaler:nitro.

The name of the load balanced VIP is the name to look for using this query.

There are a few fields that you can call depending if you want a binary or text result returned. Which one is up to you and can determine that type of visualization you can use.

For binary status of the load balanced VIP use avl:status or citrix_netscaler_avl_status they give you “0” or “1”

For text status of the load balanced VIP use avl_status_string and citrix_netscaler_state they give you “UP” or “DOWN”

I hope this helps to create reports that not generated by Citrix products but by Splunk. If you make a cool report or chart in Splunk let me know in the comments.

The data that the query looks for is captured using the Splunk Add-on for Citrix NetScaler which is a Splunk supported Add-on so you can get support for it if you have a valid support contract. I know that having the vendor provide support sometimes makes a difference when it comes to choosing the add-ons you use in your Splunk environment. Here is the link to the Splunk Add-on for Citrix NetScaler docs if you want to have a look.

Thank you,

Logan Bingham