At the beginning I assume, that you have a basic knowledge about Splunk.

I guess there might be two situation:

  • Besides Citrix you are also managing Splunk environment. So you know how to install it and configure. And you know, how to create new indexes, add agents (Universal Forwarder) and create new app (to define what data you would like to collect).
  • There is dedicated person/team who is managing Splunk. You all you have to do is to verify, whether Splunk agent (Universal Forwarder) is installed and working and then define metrics you want to collect (to provide it to Splunk team).

At the end, still you have to know how to use Splunk as a user who will be analyzing data – SPL, queries, dashboards, etc.

Link to Splunk documentation about data gathering:

Including Windows metrics:

In my cases all data (windows metrics and event logs) are stored in index called: perfmon.

Other metrics (ie. from PowerShell scripts will be stored in separate index).

I will not teach you (right here), how to set up metric collection – please check it in Splunk manual.

Basic Windows metrics

Source: inputs.conf

As you can see, those metrics are standard performance monitor counters. When you are using perfmon, the default interval is 15 seconds. In my opinion for some counters this is too much. I used 4 different intervals:

  • 15 seconds: Processor and Disk latency
  • 60 seconds (1 minute): Memory, Network interfaces, Page file, System, Disk (except latency and space)
  • 300 seconds (5 minutes): Disk space
  • 600 seconds (10 minutes): Processes

In this configuration I also include Windows and Application event logs and Windows Services status.

Citrix metrics

Source: inputs.conf

Here we’ve got Citrix metrics. There are counter from RDS servers (like ICA Sessions), DDS’s (Citrix Broker Service) and StoreFronts (Citrix Receiver for Web). Here I also have different interval value for different counter types.

I also included here Terminal Services eventlog: [WinEventLog://Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]. In further examples I will show you how many interesting information you can get from here.

Because Basic Windows metric can be used on generic Windows server, I wanted to specify, that on RDS servers I want to collect Processes metric every 30 seconds. So I added this stanza right here:

object = Process
instances = *
counters = % Processor Time
interval = 30
disabled = 0
index = perfmon


All those metrics you can use to monitor other Windows server (not only Citrix). Of course, some data will not be gathered (like ICA Latency) because they does not exist.