Application and Process Startup Metrics
Process Startup
uberAgent collects metrics for each application or process that is being launched like startup duration, IOPS during startup as well as if the process was started with admin privileges.
Note: as with all other metrics process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before.
Note: processes are auto-grouped into applications, i.e. the application name is determined automatically without requiring any configuration. Information on how this works are available here.
If the configuration setting EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.
Details
- Source type:
uberAgent:Process:ProcessStartup - Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting:
ProcessStartup - Related configuration settings:
[ProcessStartupSettings],[ProcessStartupDurationWaitIntervalOverride] - Supported platform: Windows
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Measurement type | Example |
|---|---|---|---|---|---|
| ProcName | Process name | String | Snapshot | chrome.exe | |
| ProcUser | Process user | String | Snapshot | Domain\JohnDoe | |
| StartupTimeMs | Startup time duration | Number | ms | Sum | 300 |
| StartupIOPS | Startup I/O operations per second | Number | Count | 150 | |
| AppId | Associated application ID. Used by uberAgent to lookup application names and populate field AppName. |
String | Snapshot | GglChrm | |
| ProcID | Process ID | Number | Snapshot | 456 | |
| ProcParentID | Parent process ID | Number | Snapshot | 789 | |
| SessionID | Unique identifier that is generated by the machine when the session is created. Will be reassigned to other sessions after logoff. |
Number | Snapshot | 3 | |
| ProcGUID | Unique identifier that is generated by uberAgent when the process is started | String | Snapshot | 00000000-ebe5-469c-63ae-f5a1de28d401 | |
| SessionGUID | Unique identifier that is generated by uberAgent when the session is created. Valid for this session only. |
String | Snapshot | 00000002-f295-9109-e7c7-c964011dd401 | |
| ProcParentName | Parent process name | String | Snapshot | powershell.exe | |
| ProcPath | Full path to the process executable in the file system | String | Snapshot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
| ProcCmdline | Full commandline the process was launched with | String | Snapshot | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com | |
| IsElevated | Indicates if the process was started elevated (admin rights) | String | Snapshot | 1 | |
| AppVersion | Associated application version | String | Snapshot | 67.0.3396.99 | |
| ProcParentGUID | Unique identifier of the parent process | String | Snapshot | 00000000-ebe5-469c-54ae-f5a1de28d401 | |
| ProcHash | Hash value of process | String | Snapshot | 3D20D4221A46D0C1C6284BA9F09E65C4 | |
| HashType | The type of the calculated hash | String | Snapshot | 1, 2, 3 or 4 | |
| IsProtected | Indicates whether the process was started protected | String | Snapshot | 1 |
The following fields are empty unless EnableExtendedInfo is set to true: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, ProcParentGUID
The maximum supported timer Interval for the ProcessStartup metric is 300000 (5 minutes).
List of Calculated Fields
| Field | Description | Data type | Unit | Measurement type | Where available | Example |
|---|---|---|---|---|---|---|
| User | Content of field ProcUser |
String | Snapshot | Splunk data model | Domain\JohnDoe | |
| StartupTimeS | Startup time duration | Number | s | Sum | Splunk data model | 0.3 |
| StartupIOCount | StartupIOPS * StartupTimeMs / 1000 |
Number | Sum | Splunk data model | 45 | |
| AppName | Associated application name | String | Snapshot | Splunk data model, Splunk SPL | Google Chrome | |
| HashTypeDisplayName | Hash type name. Possible values: MD5, SHA-1, SHA-256, ImpHash |
String | Snapshot | Splunk data model, Splunk SPL | MD5 |