DDC Service Status Splunk Query

Here are the Splunk queries that I use to to find the status of each Citrix XenDesktop service that runs on each DDC server. It is really useful to find all services but with these Splunk queries are break out each XenDesktop service into its own query so you can slice and dice depending on what you are looking for. It speeds things up in Splunk if you can narrow the amount of data you pull in the first place.

DDC Service Status Splunk Query

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAdIdentityService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixAnalytics ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixBrokerService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationLogging ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixDelegatedAdmin ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixEnvTest ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixHostService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMachineCreationService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixMonitor ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixPrivilegedService ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixStorefront ” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Splunk Queries for Citrix XenDesktop Services

I developed the following Splunk queries to count how many of each XenDesktop service is running in the Citrix Environment. Each query is based upon the Windows Service name and looks for the Start Mode to be AUTO. It will return a count of the service if the service is running or not. You only want to know the count if the service is running that is an easy change to the ‘State’ field value.

The Citrix EUEM service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix EUEM” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Encryption Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Encryption Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Licensing service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Licensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Peer Resolution Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”Citrix Peer Resolution Service” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix AD Identity Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAdIdentityService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Analytics service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixAnalytics” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Broker Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixBrokerService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Logging service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationLogging” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Replication service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationReplication” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Configuration Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixConfigurationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Credential Wallet service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCredentialWallet” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix CSE Engine service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixCseEngine” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Default Domain Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDefaultDomainService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Delegated Admin service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixDelegatedAdmin” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Environment Test service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixEnvTest” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Host Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixHostService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Machine Creation Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMachineCreationService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Monitor service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Privileged Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixPrivilegedService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Redirector service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixRedirector” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Service Monitor service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixServiceMonitor” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Storefront service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixStorefront” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Subscriptions Store service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixSubscriptionsStore” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Telemetry Service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixTelemetryService” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

The Citrix Web Services for Licensing service:

index=”windows” source=”service” eventtype=hostmon_windows Type=”Service” host=”*” Name=”CitrixWebServicesforLicensing” StartMode=”Auto” State=”*”
| dedup host
| chart count(Name) as y

StoreFront Service Status by Splunk Query

Use Splunk  to Query StoreFront Service Status

Here are the Splunk Queries I use to find StoreFront Services in the XenDesktop environment. They are specific to each StoreFront service. The last SPL query will pull on the StoreFront services from hosts that you specify. Please let me know what you think and if they help in your XenDesktop environment.

Citrix Configuration Replication Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixConfigurationReplication” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Credential Wallet Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixCredentialWallet” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Default Domain Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixDefaultDomainService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Peer Resolution Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix Peer Resolution Service” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Service Monitor:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixServiceMonitor” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Privileged Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixPrivilegedService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Subscriptions Store Service:
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixSubscriptionsStore” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Or if you want a single query to return the XenDesktop services status from a list hosts use this SPL Query:

index=”windows” eventtype=hostmon_windows Type=Service host=”StoreFrontServer01″ OR host=”StoreFrontServer02″ OR host=”StoreFrontServer03″ OR host=”StoreFrontServer04″ OR host=”StoreFrontServer05″ OR host=”StoreFrontServer06″ Name=”Citrix*” StartMode=”Auto” State=”*” | sort host, Name, State | table host, Name, State

XenDesktop Error Visualization in Splunk

Citrix XenDesktop Errors Visualized with Splunk

Here are the Splunk Queries I use when I need to create Splunk timechart dashboards to visualize Citrix XenDesktop errors. Try them out and let me know how they work in your environment.

This SPL Query grabs all Citrix related errors:

  • All Citrix Errors
    index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” error | timechart count(EventCode) by SourceName

This query displays database errors for the last 7 days:

  • All Citrix Database Errors (7 Days)
    index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” database* | timechart count(EventCode) by SourceName

Here is a query to display all events flagged as “failed” in the event log:

  • All Citrix Failures
    index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” failed| timechart count(EventCode) by SourceName

It is really not good to have timeouts anywhere in your Citrix XenDesktop environment so here is a timechart query to display when they are happening:

  • All Citrix Timeouts
    index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” timeout | timechart count(EventCode) by SourceName

Virtual machine events are easily displayed using this timechart query:

  • All Citrix Virtual Machine Events
    index=”wineventlog” sourcetype=”WinEventLog:Application” SourceName=”Citrix*” virtual | timechart count(EventCode) by SourceName

Splunk StoreFront Dashboard

Need to create a StoreFront Dashboard in Splunk?Splunk-Citrix-Event-Visualzation

Here is a quick SPL query you can run to gather some basic information on that state of the Citrix XenDesktop services that are running in your environment. If you want to narrow it down to your StoreFront hosts just replace the asterisk in the “host=”*”” with the names of your StoreFront servers or the beginning pattern of the host names for you StoreFront servers.

 

index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix*” StartMode=”Auto” State=”*” | sort Name, State | table host, Name, StartMode, State

Want to know how many of each Citrix service is running across those hosts?

Just add  | stats count by Name

Want to know how many Citrix services are running on each host?

Just add | stats count by host