DDC Service Status Splunk Query

Here are the Splunk queries that I use to to find the status of each Citrix XenDesktop service that runs on each DDC server. It is really useful to find all services but with these Splunk queries are break out each XenDesktop service into its own query so you can slice and dice depending on what you are looking for. It speeds things up in Splunk if you can narrow the amount of data you pull in the first place.

DDC Service Status Splunk Query

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAdIdentityService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAnalytics ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixBrokerService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationLogging ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixDelegatedAdmin ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixEnvTest ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixHostService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMachineCreationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMonitor ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixPrivilegedService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixStorefront ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Splunk Queries for Citrix XenDesktop Services

I developed the following Splunk queries to count how many of each XenDesktop service is running in the Citrix Environment. Each query is based upon the Windows Service name and looks for the Start Mode to be AUTO. It will return a count of the service if the service is running or not. You only want to know the count if the service is running that is an easy change to the ‘State’ field value.

The Citrix EUEM service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix EUEM” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Encryption Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Encryption Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Licensing service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Licensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Peer Resolution Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Peer Resolution Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix AD Identity Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAdIdentityService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Analytics service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAnalytics” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Broker Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixBrokerService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Logging service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationLogging” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Replication service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationReplication” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Credential Wallet service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCredentialWallet” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix CSE Engine service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCseEngine” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Default Domain Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDefaultDomainService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Delegated Admin service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDelegatedAdmin” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Environment Test service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixEnvTest” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Host Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixHostService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Machine Creation Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMachineCreationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Monitor service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Privileged Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixPrivilegedService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Redirector service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixRedirector” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Service Monitor service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixServiceMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Storefront service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixStorefront” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Subscriptions Store service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixSubscriptionsStore” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Telemetry Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixTelemetryService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Web Services for Licensing service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixWebServicesforLicensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y