Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) as Logins by host Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(host) by host Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) as Machines, count(MachineName) as Percent by MachineName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(MachineName) by MachineName
Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) as Logins by DesktopDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(DesktopDisplayName) by DesktopDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) as Logins, count(UserDisplayName) as Percent by UserDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats count(UserDisplayName) by UserDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$ | stats dc(UserDisplayName) as "Total Users" Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$$ latest=$$ | stats count by DesktopDisplayName| sort - count |fields - EventType=AGENT_CONNECTED DesktopDisplayName=$tok.pool|s$| stats count(_raw) as "Total Connections" Index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName Index=vmware EventType=AGENT_SHUTDOWN DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | stats count(DesktopDisplayName) by DesktopDisplayName Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName="*" | timechart count(DesktopDisplayName) by DesktopDisplayName Index=vmware EventType!=Null | stats count by EventType Index=vmware EventType!=Null | timechart count by EventType Index=vmware EventType=AGENT_CONNECTED DesktopDisplayName=* earliest=$$ latest=$$ | stats count by DesktopDisplayName| sort - count |fields - Event Types Over Time Just create two new dashboards and import the attached xml dashboards.
You can find more information and an example dashboard in this post.
I recommend using Splunk universal forwarder dedicated for your Syslog input. You can configure a Syslog input and create a VMWare index on port 514. You can have your connection servers configured to send logs to Splunk. VMWare Horizon can send data to Splunk as Syslog target.
0 kommentar(er)
