How to collect, index, search & analyse PCoIP log files across the entire organisation

When you have hundreds or thousands of log files across hundreds or thousand of desktops the task of collecting and analysing those files can be challenging if you do not have the right tool. When you need to troubleshoot PCoIP across a range of desktops you will be challenged with similar scenario.

I like to use a very neat tool called Splunk. Splunk is used to monitor, report and analyse live streaming data as well as historical data. In addition to that Splunk allows me to create advanced meta-queries with the PCoIP information that was collected, indexed and archived on the database. The tool is not only meant to collect text-based log files but you can also collect real time data from your servers and network devices through use of WMI polling, syslog, SNMP amongst other methods.


After a 3 minute install you will be able to initiate your data collection. First you will need to create a database Index for your PCoIP collections and then you will setup a Data Input method. Start with a local log collection to get familiar with the product, but later you will want to setup remote capture of PCoIP log files from your VMware View remote desktops.

In order to do that you will need to create a folder on your workstation and copy some PCoIP log files from different virtual desktops in this folder. I have previously published an article about How to troubleshoot PCoIP performance that should give you the base information required to get those log files and also tell you what to look for when querying and searching the database.

Once you have imported the log files you can start running some queries. The example below demonstrates a query for all values for the constant plateau. Plateau is the maximum bandwidth consumed by PCoIP. Splunk will show how many appearances throughout all log files and also will create a chart with the values.

Now you can start to be more accurate on your searches and as example query for all desktops that had bandwidth reduction to less than 100 Kilobytes. A search like that would help you to understand what exactly was happening across all your VMware View desktops at a specific point in time.

Another example would be search for Loss > 0 to see the desktops that had PCoIP packet loss.




The most common fields for your PCoIP searches are:

  • rto
  • plateau
  • limit
  • loss
  • variance
  • date
  • time

Refer to How to troubleshoot PCoIP performance for more information on those constants.



The picture below demonstrates the selection of a constant (plateau) and then Splunk automatically generate a list and graphs with the top 10 values to the constant. On the example above my PCoIP bandwidth was 63% of the time above 1152 kilobits/s.




You can still see each log entry after you select your meta-query and go through each line to identify and troubleshoot a given problem.




After a day or so collecting and indexing your files you will be amazed by the amount od information you can extract from you log files with simple queries. The best thing is that for index databases up to 500Mb the product is free, but once you get familiar with Splunk you may want to start using it to collect all your log files, including your ESX and Windows logs.

There are several other features like the ability to create customised Apps, a wide-range of graphs, monitoring & alerting, data forwarding and exposed APIs to integrate with your other applications. I might soon end up publishing an App to help you with PCoIP log parsing. For now, download Splunk for free from

1 comment

1 ping

    • Andrew on 07/19/2011 at 9:03 pm


    I am not able to get any reports generated as each item I select has no results.

    I tried loading my own pcoip_server logs and still no joy. I can see the files are indexed, it just won’t report.


  1. […] Read the original post here. […]

Comments have been disabled.