I recently installed Template for Citrix XenApp at a customer site. We were puzzled as the applications dashboard only showed one application.
The solution can be found below. I am documenting this in case anyone else is seeing the same issue.
It appears that the reason for this is that the sourcetype=xenapp:65:application had all events merged into one event and we were only seeing the first entry in that event.
The solution was to deploy the following to a props.conf on the indexers
[xenapp:65:application]
SHOULD_LINEMERGE = false
This is Splunk 6.1.3. Citrix servers run Splunk Universal Forwarders. The documentation did not state that this step was necessary and there is no such stanza in the Template for Citrix XenApp App either, so I suspect that this might have worked out of the box on Splunk 6.0 but not on 6.1.3.
It appears that the reason for this is that the sourcetype=xenapp:65:application had all events merged into one event and we were only seeing the first entry in that event.
The solution was to deploy the following to a props.conf on the indexers
[xenapp:65:application]
SHOULD_LINEMERGE = false
This is Splunk 6.1.3. Citrix servers run Splunk Universal Forwarders. The documentation did not state that this step was necessary and there is no such stanza in the Template for Citrix XenApp App either, so I suspect that this might have worked out of the box on Splunk 6.0 but not on 6.1.3.
Hi @mikaelbje
Could you post the solution at the bottom as an answer and accept it to mark it as solved? It'll make this more visible as a helpful post 🙂
Patrick