Splunk Query to Determine NetScaler HA Status

Determine Citrix NetScaler High Availability Cluster Status with this Splunk Query

I hope you have your NetScalers setup in a HA pair and if you do you might want to know which NetScaler is acting as the Primary Node, the NetScaler Cluster fail-over status, or even if the HA pair is UP. Maybe you want to monitor the High Availability status over time and digging through email alerts is not the way to go.

Here is a Splunk query to run if you have Splunk Add-on for Citrix NetScaler.

index="netscaler" source="stat:hanode" sourcetype="citrix:netscaler:nitro"
 failover_status="1" failover_status_string="UP" hacurmasterstate="Primary" hacurstate="UP" hacurstatus="YES" haerrsyncfailure="0"

Let’s break that code down.

So here is the part the defines the index. The default is “netscaler”; however, it might be different on your system so check your Indexes and inputs.conf to be sure.


The source for this NetScaler query is the “stat:hanode” that comes from the NITRO API data.


The sourcetype is “citrix:netscaler:nitro” which is the default sourcetype for the data coming in via the NITRO API calls to the NetScalers.


Next up we have the “failover_status” that gives you the Boolean result of the status of the HA pair.


Following is the “failover_status_string” which provides an UP/DOWN string instead of the Boolean 0/1.


“hacurmasterstate” is the field to check out when you need to know which NetScaler is currently running the HA Pair: “Primary” or “Secondary”.


If you want to know what the current state of the HA pair is here is the field, “hacurstate”. It returns “UP/DOWN”.


I’m not 100% sure about this one only because I would not answer the question, “what is the HA Current Status?” with YES.


This one is important to monitor and trend as it can predict the stability of the HA Pair. This field/value will tell you if the HA pair is generating sync failures.


Splunkbase is where you can find the Splunk Add-on for Citrix NetScaler.

Author: Logan Bingham

Designing IT solutions for 20 years.

Leave a Reply