uberAgent Explained: Application Inventory

This is the second in a series of articles that highlight and explain specific aspects of uberAgent’s functionality.

What is uberAgent?

uberAgent is a Splunk agent for Windows end-user computing analytics focused on user experience and application performance. It provides deep insights into the user logon process, helps identify bottlenecks caused by slow backend systems and very much more. But how does inventory data fit in?

Why Application Inventory?

In order to understand what is happening, you first need to know what you have. Application inventory data provides a solid foundation to base decisions on and helps answer questions like these:

  • Which applications do we have?
  • How many machines is an application installed on?
  • Which versions are installed on which machines?
  • Do we have old versions with known security vulnerabilities?
  • How is the rollout of that new application progressing?
  • Are users installing apps on their own?


What does the application inventory data collected by uberAgent look like? Here is a sample screenshot showing an excerpt from the dashboard Single Machine Inventory:

uberAgent application inventory - all application installations on a single machine

As you can see, uberAgent collects the following information for each application:

  • Application name
  • Publisher (vendor) name
  • Version number
  • Installation date
  • Installed language
  • Was it installed from an MSI package?
  • Per machine or per user installation?
  • Install location

A full list of all metrics collected by uberAgent can be found here.


The application inventory functionality does not have to be configured specifically, just install uberAgent and it will immediately start collecting all this great data.

In case you want to modify the default configuration, e.g. in order to change the data collection frequency, take a look at the first article in this series.

  1. Suresh M says:

    While Application Inventory collects Application Name, Version and Installed Date, it doesn’t keep track of the uninstallations. When we are running an application inventory report via Uber data, how can we keep track of PCs where it was installed before and later got the same application uninstalled?

    This is quite a challenge to the accuracy of data being shared. Is there anything that can be done?

    1. Hi,

      The difficulty with that one is, that uberAgent only sends an event when it has found an application. In case of an uninstallation, uberAgent does not send any events. But, you can work around this by counting the host first (will always be 1) and compare to the count of installations found. Please find an example search below. It should give you an idea of how to solve your requirements. If not, please send us an mail via [email protected].

      | pivot `uA_DM_Application_ApplicationInventory` Application_ApplicationInventory dc(host) as HostCount splitrow _time period day filter host is "Computer1" | join type=outer _time [ | pivot `uA_DM_Application_ApplicationInventory` Application_ApplicationInventory dc(host) as AppInstalled splitrow _time period day filter DisplayName is "Application" filter host is "Computer1" | fields + _time AppInstalled ]

Leave a Reply

Your email address will not be published. Required fields are marked *