Application and Process Startup Metrics
Process Startup
uberAgent collects metrics for each application or process that is being launched like startup duration, IOPS during startup as well as if the process was started with admin privileges.
Note: as with all other metrics process startup duration is recorded automatically without requiring any configuration.
uberAgent optionally only shows new processes never seen before.
Note: processes are auto-grouped into applications, i.e. the application name is determined automatically without requiring any configuration. Information on how this works are available here.
If the configuration setting EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full commandline the process was launched with.
Details
- Source type: uberAgent:Process:ProcessStartup
- Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting: ProcessStartup
- Related configuration settings: [ProcessStartupSettings], [ProcessStartupDurationWaitIntervalOverride]
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Measurement type | Example |
---|---|---|---|---|---|
ProcName | Process name | String | Snapshot | chrome.exe | |
ProcUser | Process user | String | Snapshot | Domain\JohnDoe | |
StartupTimeMs | Startup time duration | Number | ms | Sum | 300 |
StartupIOPS | Startup I/O operations per second | Number | Count | 150 | |
AppId | Associated application ID. Used by uberAgent to lookup application names and populate field AppName. | String | Snapshot | GglChrm | |
ProcID | Process ID | Number | Snapshot | 456 | |
ProcParentID | Parent process ID | Number | Snapshot | 789 | |
SessionID | Unique identifier that is generated by the machine when the session is created. Will be reassigned to other sessions after logoff. |
Number | Snapshot | 3 | |
ProcGUID | Unique identifier that is generated by uberAgent when the process is started | String | Snapshot | 00000000-ebe5-469c-63ae-f5a1de28d401 | |
SessionGUID | Unique identifier that is generated by uberAgent when the session is created. Valid for this session only. |
String | Snapshot | 00000002-f295-9109-e7c7-c964011dd401 | |
ProcParentName | Parent process name | String | Snapshot | powershell.exe | |
ProcPath | Full path to the process executable in the file system | String | Snapshot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
ProcCmdline | Full commandline the process was launched with | String | Snapshot | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com | |
IsElevated | Indicates if the process was started elevated (admin rights) | String | Snapshot | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | |
AppVersion | Associated application version | String | Snapshot | 67.0.3396.99 |
The following fields are empty unless EnableExtendedInfo is set to true: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline
List of Calculated Fields
Field | Description | Data type | Unit | Measurement type | Where available | Example |
---|---|---|---|---|---|---|
User | Content of field ProcUser | String | Snapshot | Splunk data model | Domain\JohnDoe | |
StartupTimeS | Startup time duration | Number | s | Sum | Splunk data model | 0.3 |
StartupIOCount | StartupIOPS * StartupTimeMs / 1000 | Number | Sum | Splunk data model | 45 | |
AppName | Associated application name | String | Snapshot | Splunk data model, Splunk SPL | Google Chrome |