All Apps and Add-ons

Template for Citrix XenApp: Why are Citrix dashboards not populating data?

wilson328
New Member

I have a Splunk POC environment and I'm trying to get data from my Citrix environment into Splunk via the XenAPP plug-in (Template for Citrix XenApp)

I have the Universal Forwarder installed on a Windows XenApp system. I have copied the TA-XA6x-Server folder to the "etc\apps\TemplateForXenApp\appserver\addons" directory.

I have set Powershell execution policy to unrestricted.

Yet I still see no data in any of the Citrix dashboards. I do see event data making it into Splunk so I know that the universal forwarder is working. I'm simply not seeing any Citrix data populating any of the Citrix dashboards.

-Wondering if anybody can point me in the right direction to troubleshoot this?

0 Karma

wilson328
New Member

Thanks for your response.

I currently only have the forwarder installed on one server which is the XenApp server. I don't have the forwarder installed on any zone data collectors or XML servers. Even so, shouldn't I at least be getting server performance metrics under "Server Performance Overview" in the Citrix Template app?

Also, the splunk forwarder on my lone XenApp server is running under local system with local admin access. My Citrix admins say that Farm Admin access is not needed since all of those powershell scripts should work under local system credentials and the server we are testing this on is not a data collector.

I did go and rebuild the Windows Host Lookup file and my server does show up in there when I do the rebuild.....but I still see no data in any of the Citrix dashboards.

-not sure if any of the above is the root cause for the data not showing in the dashboards...?

0 Karma

jconger
Splunk Employee
Splunk Employee

You still need to install the ZDC add on. You won't see most data without it because most of the searches in the Template specify FarmName since the Template supports multiple farms. You will notice the Farm Name drop down list on most dashboards - the data from the ZDC add on populates this. Even the server performance dashboards need this.

There is a separate lookup defined in props.conf that adds the FarmName field to perfmon data (perfmon data has no concept of XenApp farm). The lookup is defined as follows:

[(?::){0}PerfmonMk:*]
LOOKUP-PerfmonMk:Processor Host Farm Lookup = farmHosts host AS host OUTPUTNEW FarmName AS FarmName

Without the ZDC data, none of this is going to work.

0 Karma

wilson328
New Member

Ahh, ok, that makes sense.

So after speaking with my Citrix Admins, they have some security concerns after the requirement that the Splunk forwarder needs XenApp Farm Administrator privileges. Does it really need that level of access? Will it work with read-only access?

Also, is there any way for the Splunk server to push scripts out to the Citrix servers and run them? Are any of the dashboards realtime dashboards that call upon a script to run? Those would be huge security concerns if true.

My understanding is that the universal forwarder is exactly as its name implies.....it forwards data only so the communication only goes one way. But my Citrix admins just want to make sure....

0 Karma

jconger
Splunk Employee
Splunk Employee

Q1. The account used can be a read-only account (Citrix calls it a Farm Admin even if it is read-only).

Q2. No, the Splunk server does not push scripts out and run them. The universal forwarder runs the PowerShell scripts and forwards the output of those scripts to the Splunk indexer (whatever is written to the screen is what shows up in the Splunk index). The scripts are open source if your admins want to take a look or tweak them. Also, real time in this case means as the data comes in from the forwarder to the Splunk server.

Q3. The data is a one way flow from XenApp server to Splunk indexer.

This app is named "template" to imply that you can take whatever parts you want, throw away what you don't, or modify it until your heart's content.

0 Karma

wilson328
New Member

Ok, after doing some more digging it appears that the Host to Farm lookup table isn't getting populated because it's not finding anything because this query is coming up empty:

search index=xd sourcetype=xenapp:*:server

I can verify that the XD index exists and I can see the data from my ZDC servers when I do a generic search. But I don't see any sourcetype that equals to xenapp.

0 Karma

wilson328
New Member

Ok, here are the results after running that search:

sourcetype count
WMI:Services 563755
WMI:SessionProcess 8782759
WinHostMon 83
xenapp:65:application 9674
xenapp:65:farm 25
xenapp:65:installedsoftware 903
xenapp:65:workergroup 225

0 Karma

jconger
Splunk Employee
Splunk Employee

Looking at that, I see that there is data from both the broker TA and server TA. However, the data from the PowerShell scripts is not there (which includes the xenapp:65:server data).

Check to make sure the account the Splunk Windows service is running as is a XenApp admin. Also, make sure the PowerShell execution policy is at a minimum RemoteSigned. You can check this by running the following from the PowerShell command prompt:

Get-ExecutionPolicy
0 Karma

wilson328
New Member

Ok, so I finally got the agents running under a service account with read-access to the Citrix Farm.

The problem now is that when I go to kick off the "Rebuild the Host to Farm Table" nothing gets returned. I do see some systems popping up when I rebuild the Farm Lookup file and the Windows Host Lookup file....but not all of the systems are appearing. I know that the Splunk forwarders are sending data to Splunk....I can do an event search and see the data in Splunk.

Right now I do see data in the Applications Overview. In the Environment Overview dashboard I see the Farm Details pane populated but none of the others are populated (Health, users by Farm, Popular Apps, etc.) And still none of the server performance metrics are populating any of the dashboards.

0 Karma

wilson328
New Member

Ok, after doing some more digging it appears that the Host to Farm lookup table isn't getting populated because it's not finding anything because this query is coming up empty:

search index=xd sourcetype=xenapp:*:server

I can verify that the XD index exists and I can see the data from my ZDC servers when I do a generic search. But I don't see any sourcetype that equals to xenapp.

0 Karma

jconger
Splunk Employee
Splunk Employee

What do you get if you run the following search:

index=xd | stats count by sourcetype
0 Karma

jconger
Splunk Employee
Splunk Employee

On your XenApp server, make sure to copy TA-XA6x-Server to:

$SPLUNK_HOME\etc\apps\TA-XA6x-Server

On your Zone Data Collector, make sure to copy TA-XA6x-ZDC to:

$SPLUNK_HOME\etc\apps\TA-XA6x-ZDC

On your XML server, make sure to copy TA-XA6x-XML to:

$SPLUNK_HOME\etc\apps\TA-XA6x-XML

All three of these can go on the same server for a POC if necessary.

You may also need to manually build the farm and host lookup files. This happens automatically on a timed basis, but you can force it by going to Help -> Rebuild Lookup Files within the app. These lookup files are used to connect server performance data with XenApp farms (because perfmon has no concept of a farm).

Finally, make sure the Splunk Windows Service is running as a user that has access to the Citrix XenApp farm.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...