Using Splunk and uberAgent to monitor vdi performance part 1: server installation



I’ve been looking around a lot for monitoring solutions that tell me how a vdi desktop performs, especially useful in situations where users complain their desktop is slow.  There are several products in the market who claim to do this, and one of them is a solution called uberAgent by Helge Klein ( which runs on the Splunk framework. uberAgent claims it can monitor and pinpoint performance issues and statistics at a granular level.

In this series I’m going to investigate what the solutions does, how the install process works and what the usability of this product is.

The first part is the installation part. As said uberAgent runs on a framework called Splunk. Gartner names Splunk a leader in the 2013 Magic Quadrant for Security Information and Event Management. Splunk calls it: Splunk Enterprise is the industry-leading platform for operation intelligence. It can collect and index any “machine data” from virtually any source in real time. Splunk is OS independent and can run on several different OS’es.


On top of this powerful framework can run several (hundreds) apps and other content. This makes it possible to analyze and report on the collected data in a targeted way. Our way is going to be the uberAgent-way. uberAgent is the app with the targeted knowledge how to index, analyze and present the data that is collected.


Let’s get started. First you will have to download the software which consists of four parts:

  • Splunk framework
  • Splunk universal forwarder agent
  • uberAgent App
  • uberAgent Technology Addon

The setup is a classical approach using a server part: the Splunk framework and the uberAgent App.

In this case I use a Windows Server 2008 R2 server to install the server parts on. I could have chosen to install it as easily on a Windows Server 2012 server, or even the R2 version of it, but I didn’t.

And a client part: the Splunk universal forwarder and the uberAgent Technology Addon that are both installed at the objects (servers/clients) that are being monitored/where the statistical data is being gathered from.

In this case we use a client with a Windows 7 OS image that is used within a Citrix XenDesktop 7.1 environment with Citrix Provisioning Server 7.1.


Let’s assume you have your Windows Server setup and are ready to setup Splunk.

The first step is to start the installation – make sure you do not use a client drive to install from when you connect through RDP otherwise you will end up with this error:


The setup is a pretty straightforward, next, next finish.


click next


accept the license agreement and click next.


set the installation directory (I kept it default)


As with uberAgent Splunk itself is not using any network resources I kept it at the “Local system user”


Click install


Now wait until the installation finishes.


As Splunk makes use of  java-script which is default disabled on servers, the Splunk website best can be opened from a desktop client browser. On the server you would get the error as shown in the image below. In this case I could have unchecked the “Launch browser with Splunk” option in the screen above.


Make sure the Windows Firewall configuration allows communication for splunkd.exe and splunkweb.exe (located in C:\Program Files\Splunk\bin)


From now on you can work from any client browser. The Splunk management website can be accessed through http://servername:8000


When singing in you will have to change the default password at first logon.


After signing in the management console look like this, this is an empty framework.

If you have a Splunk Enterprise license, now is a good moment to install it, in my case I settle with the 60 day enterprise after which it switches to the free version.

Splunk communicates through defined receivers and forwarders. Typically a receiver has multiple forwarders it gathers data from, but for load balancing purposes you can define multiple receivers for the same forwarder.

To be able to gather data the next step is to configure a receiver, to do that you must define on which tcp port Splunk will listen.


Click on settings in the top right hand corner and choose “Forwarding and receiving” in the Data section.


In the Receive data section choose “Add new” to configure receiving.


Enter the port number you want the receiver to listen on, it defaults to 9997


Now the receiver/listener is created and enabled.



The next step is to Upload the uberAgent-app, in the left upper corner choose, Apps/Manage apps and select install app from file.

Then choose the uberAgent.tar.gz file you downloaded previously. Click Upload.


When the upload is finished, the screen looks like above. uberAgent is now added to the list of apps as shown.


Now the app is uploaded, the Splunk framework needs to restart to make the app active. To restart the Splunk Framework select “Settings” in the upper right and then choose “Server controls” in the “System”-section. Click on restart Splunk.


When the restart is finished the uberAgent app is active and the screen looks like above.

Now the server-part is ready.


The next part is to configure and install the Universal Forwarder and the uberAgent Technology Addon (TA).

Since I use an image that is streamed with Citrix Provisioning server I have to embed the forwarder and the uberAgent-TA in the image.

Using the same image for multiple desktops implies I have to make sure every desktop is shown as a unique desktop I have to remove instance-specific information such as server name and GUID from the Universal Forwarder installation.

The installation of the universal Forwarder and the Technology Addon inside the Citrix Provisioning Server Image will be covered in part 2 of this series.


  1. Matheen

    Thanks for an excellent article. Is part 2 of the series coming soon?

    Also if I am interested in buying uber agent, Do I need to pay splunk as well or the framework is free?


  2. JamieT

    Great article but I must say, I am impatiently waiting on Part 2. 🙂

  3. Gerben

    @ Matheen : part 2 is in progress now. There is a free version of the Splunk framework, but it’s limited in functionality and has a limit in the amount of data that is being indexed per day. Take a look here for details:

  4. Mamit

    i have purchased splunk license for VDI which is xendesktop/app 7.6, HSD i am using via PVS vdisk.
    so with Splunk license can i use uberagent which support my xenapp and xendesktop 7.6 infra

    As i heard spunk does not have app for xendesktop7.6

  5. Gerben

    I only use splunk as a framework to run uberagent on. It depends on what you want to monitor, uberagent does a good job at performance monitoring and troubleshooting, but it isn’t an infrastructure monitoring solution. It is not linked to a specific vdi or sbc solution, but has some extra metric available for Citrix XenDesktop/XenApp and VMware Horizon View. You can even use uberagent on a fat (physical) client to compare performance metrics for instance.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.