uberAgent

How to Separate Data from Different Types of Machines

If you are monitoring different types of machines with uberAgent, say XenDesktop/VDI clients and XenApp/RDS servers, you may want to separate the data in the dashboards so that you only see data from one group of machines or the other.

Temporary Separation

To temporarily view only data from a group of machines enter that part of the computer names that uniquely define machines in the desired group in the Filter expression input box on the dashboard. E.g. to filter for machines whose names start with the string RDS:

uberagent-filter-ui-small

Permanent Separation

To permanently separate data from a group of machines utilize uberAgent’s multi-tenancy capabilities.

Splunk stores data in containers called indexes. By default uberAgent stores all its data in the index uberagent. But you can easily configure one group of machines to store data in an index called uberagent-clients and another to store in uberagent-servers. The only requirement is that all index names should start with a common prefix, otherwise the dashboards will not work.

By default uberAgent’s dashboards search all indexes whose names start with uberagent. But you can configure individual Splunk user accounts so that they only have permissions to search in the index of one machine group, not the other. Depending on the user account you log on to Splunk with you see data from different machine groups.

For details on how to implement this please see this article.

Alternative for Permanent Separation

As an alternative to separating data into multiple indexes, you can always create custom dashboards that use some other means of differentiating between different types of machines. You could, for example, use a lookup table that stores a mapping between machine groups and computer name regexes.

How to Separate Data from Different Types of Machines