Application and Process Startup Metrics
Process Startup
For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status).
Note: as with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.
Note: processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.
If the configuration setting EnableExtendedInfo
is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.
Details
- Source type:
uberAgent:Process:ProcessStartup
- Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting:
ProcessStartup
- Related configuration settings:
[ProcessStartupSettings]
,[ProcessStartupDurationWaitIntervalOverride]
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Measurement type | Platform | Example |
---|---|---|---|---|---|---|
ProcName | Process name | String | Snapshot | all | chrome.exe | |
ProcUser | Process user | String | Snapshot | all | Domain\JohnDoe | |
StartupTimeMs | Startup time duration | Number | ms | Sum | Win | 300 |
StartupIOPS | Startup I/O operations per second | Number | Count | Win | 150 | |
AppId | Associated application ID. Used by uberAgent to lookup application names and populate field AppName . |
String | Snapshot | all | GglChrm | |
ProcID | Process ID | Number | Snapshot | all | 456 | |
ProcParentID | Parent process ID | Number | Snapshot | all | 789 | |
SessionID | Unique identifier that is generated by the machine when the session is created. Will be reassigned to other sessions after logoff. |
Number | Snapshot | all | 3 | |
ProcGUID | Unique identifier that is generated by uberAgent when the process is started. | String | Snapshot | all | 00000000-ebe5-469c-63ae-f5a1de28d401 | |
SessionGUID | Unique identifier that is generated by uberAgent when the session is created. Valid for this session only. |
String | Snapshot | Win | 00000002-f295-9109-e7c7-c964011dd401 | |
ProcParentName | Parent process name | String | Snapshot | all | powershell.exe | |
ProcPath | Full path to the process executable in the file system | String | Snapshot | all | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
ProcCmdline | Full commandline the process was launched with | String | Snapshot | all | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com | |
IsElevated | Indicates if the process was started elevated (admin rights) | String | Snapshot | all | 1 | |
AppVersion | Associated application version | String | Snapshot | all | 67.0.3396.99 | |
ProcParentGUID | Unique identifier of the parent process | String | Snapshot | all | 00000000-ebe5-469c-54ae-f5a1de28d401 | |
IsProtected | Indicates whether the process was started protected | String | Snapshot | Win | 1 | |
HashMD5 | MD5 hash of the process executable (requires ESA) | String | Snapshot | Win | 7FFE122B109F1B586DEA2ED0F406E952 | |
HashSHA1 | SHA1 hash of the process executable (requires ESA) | String | Snapshot | Win | 26DBC241A37881072689CD05C70489C2CDFB562A | |
HashSHA256 | SHA256 hash of the process executable (requires ESA) | String | Snapshot | Win | 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC | |
HashIMP | Import-table hash of the process executable (requires ESA) | String | Snapshot | Win | 188392D5FBCC485811BB54211E4D2978 | SignatureStatus | Authenticode signature status. Can be 0 , 1 , 2 , 3 or 4 . See also SignatureStatusDisplayName . Requires ESA. |
String | Snapshot | Win | 1 |
IsSignedByOSVendor | Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. | String | Snapshot | Win | 1 | |
SignerName | Authenticode signer name (requires ESA). | String | Snapshot | Win | Microsoft Windows |
The following fields are empty unless EnableExtendedInfo
is set to true: ProcID
, ProcParentID
, SessionID
, ProcGUID
, SessionGUID
, ProcParentName
, ProcPath
, ProcCmdline
, ProcParentGUID
The maximum supported timer Interval
for the ProcessStartup
metric is 300000
(5 minutes).
List of Calculated Fields
Field | Description | Data type | Unit | Measurement type | Where available | Example |
---|---|---|---|---|---|---|
User | Content of field ProcUser |
String | Snapshot | Splunk data model | Domain\JohnDoe | |
StartupTimeS | Startup time duration | Number | s | Sum | Splunk data model | 0.3 |
StartupIOCount | StartupIOPS * StartupTimeMs / 1000 |
Number | Sum | Splunk data model | 45 | |
AppName | Associated application name | String | Snapshot | Splunk data model, Splunk SPL | Google Chrome | |
SignatureStatusDisplayName | Possible values: Unknown , Ok , Revoked , Expired and InvalidHash |
String | Snapshot | Splunk data model | Ok |