All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Template for Citrix XenApp - Why is applications dashboard only showing one application?

mikaelbje
Motivator
‎08-27-2014 05:23 AM

I recently installed Template for Citrix XenApp at a customer site. We were puzzled as the applications dashboard only showed one application.

The solution can be found below. I am documenting this in case anyone else is seeing the same issue.

Reply
1 Solution
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎09-02-2014 01:01 AM

It appears that the reason for this is that the sourcetype=xenapp:65:application had all events merged into one event and we were only seeing the first entry in that event.

The solution was to deploy the following to a props.conf on the indexers



[xenapp:65:application]

SHOULD_LINEMERGE = false

This is Splunk 6.1.3. Citrix servers run Splunk Universal Forwarders. The documentation did not state that this step was necessary and there is no such stanza in the Template for Citrix XenApp App either, so I suspect that this might have worked out of the box on Splunk 6.0 but not on 6.1.3.

View solution in original post

Reply
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎09-02-2014 01:01 AM

It appears that the reason for this is that the sourcetype=xenapp:65:application had all events merged into one event and we were only seeing the first entry in that event.

The solution was to deploy the following to a props.conf on the indexers



[xenapp:65:application]

SHOULD_LINEMERGE = false

This is Splunk 6.1.3. Citrix servers run Splunk Universal Forwarders. The documentation did not state that this step was necessary and there is no such stanza in the Template for Citrix XenApp App either, so I suspect that this might have worked out of the box on Splunk 6.0 but not on 6.1.3.

Reply
Solved! Jump to solution

ppablo
Retired
‎08-27-2014 02:05 PM

Hi @mikaelbje

Could you post the solution at the bottom as an answer and accept it to mark it as solved? It'll make this more visible as a helpful post 🙂

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...