Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent Explained: Application Inventory

  • by Helge Klein
  • August 10, 2015

This is the second in a series of articles that highlight and explain specific aspects of uberAgent’s functionality.

What is uberAgent?

uberAgent is a Splunk agent for Windows end-user computing analytics focused on user experience and application performance. It provides deep insights into the user logon process, helps identify bottlenecks caused by slow backend systems and very much more. But how does inventory data fit in?

Why Application Inventory?

In order to understand what is happening, you first need to know what you have. Application inventory data provides a solid foundation to base decisions on and helps answer questions like these:

  • Which applications do we have?
  • How many machines is an application installed on?
  • Which versions are installed on which machines?
  • Do we have old versions with known security vulnerabilities?
  • How is the rollout of that new application progressing?
  • Are users installing apps on their own?


What does the application inventory data collected by uberAgent look like? Here is a sample screenshot showing an excerpt from the dashboard Single Machine Inventory:

uberAgent application inventory - all application installations on a single machine

As you can see, uberAgent collects the following information for each application:

  • Application name
  • Publisher (vendor) name
  • Version number
  • Installation date
  • Installed language
  • Was it installed from an MSI package?
  • Per machine or per user installation?
  • Install location

A full list of all metrics collected by uberAgent can be found here.


The application inventory functionality does not have to be configured specifically, just install uberAgent and it will immediately start collecting all this great data.

In case you want to modify the default configuration, e.g. in order to change the data collection frequency, take a look at the first article in this series.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *


While Application Inventory collects Application Name, Version and Installed Date, it doesn't keep track of the uninstallations. When we are running an application inventory report via Uber data, how can we keep track of PCs where it was installed before and later got the same application uninstalled?

This is quite a challenge to the accuracy of data being shared. Is there anything that can be done?


The difficulty with that one is, that uberAgent only sends an event when it has found an application. In case of an uninstallation, uberAgent does not send any events. But, you can work around this by counting the host first (will always be 1) and compare to the count of installations found. Please find an example search below. It should give you an idea of how to solve your requirements. If not, please send us an mail via [email protected].

| pivot `uA_DM_Application_ApplicationInventory` Application_ApplicationInventory
dc(host) as HostCount
period day
filter host is "Computer1"
| join type=outer _time
| pivot `uA_DM_Application_ApplicationInventory` Application_ApplicationInventory
dc(host) as AppInstalled
period day
filter DisplayName is "Application"
filter host is "Computer1"
| fields + _time AppInstalled