Virtualized all the way to my desktop

Among the many email responses to my Splunk for VMware blog post, several were from people deploying thousands of virtual desktops in their environment, wondering how to get enough visibility to be able to troubleshoot user issues. Will Hayes started working on this virtualization problem a few months ago, for Citrix Xendesktop and his blog describes the deep levels of visibility our Splunk for XenDesktop solution provides.

We’re showcasing this solution at Microsoft Management Summit this week and are pretty excited to see the levels of interest and enthusiasm around this new solution. For those who are running VMware View, we don’t have a solution yet, but can provide some (hopefully helpful) pointers.

VMware View consists of the following main deployment components:

1.      VMware vSphere – the hypervisor that virtual desktops run on. The Splunk for VMware vSphere app will pull logs and metrics from this layer – if interested in this solution, please email me at ljoshi AT

2.      VMware View Manager – the connection broker and admin console

3.      VMware View agents – installed on the virtual desktops, these agents manage interaction with the client over PCoIP

4.      VMware View Composer and ThinApp – included only in the higher editions of View

Troubleshooting this multi-component environment is often a complex exercise. Not to worry, you can still use Splunk to make it easy.

First, here’s a quick link to information on where to find log files for all the different components.

You can get index all of these logs in Splunk. Ideally, you want logs from all your different components to be sent to your central Splunk instance. The best way to do this in large scale environments is with our new universal lightweight forwarder. The new forwarder, which was released with 4.2 has some great advantages. Not only does it provide secure, distributed, real-time universal data collection but also, it makes it easy to collect Windows data. In addition to the View agent logs, you can also collect metrics from the desktop virtual machine like resource usage, processes running on the virtual machine etc.

Once you have all this data in your central Splunk instance, you can quickly find out whether a user problem is because of low resources available inside his/her virtual machine or because of PCoIP bandwidth issues or other errors in your environment.

For PCoIP logs specifically, Andre Leibovici , a VMware vExpert(@andreleibovici)  has created this extremely cool Splunk app. Thanks much Andre! Here is a link to an overview of the app You can also download the app from the overview page.

Interpreting PCoIP logs is explained by Andre in this article and troubleshooting PCoIP performance is found here

This is only the tip of the iceberg, of course. VMware View environments are still nascent and there is a lot to understand about View performance. It’s a good thing that Splunk is so fantastic about being able to index all kinds of data, help you correlate events across many different tiers and find the nuggets of information that help you resolve your unique problems very quickly.

Happy Splunking!

Leena Joshi

Posted by