This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Process Stop Metrics
Process Stop
uberAgent collects detailed process stop information like the process name, the process lifetime as well as the parent process.
Details
- Source type:
uberAgentESA:Process:ProcessStop
- Used in dashboards: Process Tree
- Enabled through configuration setting:
ProcessStop
- Related configuration settings: n/a
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
ProcName | Process name. | String | svchost.exe | |
ProcUser | Process user. | String | domain\JohnDoe | |
ProcLifetimeMs | Process lifetime. | Number | Ms | 500 |
AppId | Application ID. | String | Svc:WdiSystemHost | |
ProcId | Process ID. | Number | 12345 | |
ProcParentId | Parent process ID. | Number | 67890 | |
SessionId | Session ID. | Number | 2 | |
ProcGUID | Process GUID. | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
SessionGUID | Session GUID. | String | 00000000-b242-d759-7a63-d686b0ffd501 | |
ProcParentName | Parent process name. | String | services.exe | |
ProcPath | Process path. | String | C:\WINDOWS\System32\svchost.exe | |
ProcCmdline | Process commandline. | String | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted | |
IsElevated | Indicates if the process was started elevated (admin rights). | String | 1 | |
AppVersion | Application version. | String | 1.0 | |
ProcParentGUID | Parent process GUID. | String | d72ceb7e-7851-02ec-005d-139741c4afd6 | |
IsProtected | Indicates if the process was started protected. | String | 1 | |
HashMD5 | Process hash value in MD5. | String | 7FFE122B109F1B586DEA2ED0F406E952 | |
HashSHA1 | Process hash value in SHA1. | String | 26DBC241A37881072689CD05C70489C2CDFB562A | |
HashSHA256 | Process hash value in SHA256. | String | 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC | |
HashIMP | Import-table hash. | String | 188392D5FBCC485811BB54211E4D2978 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
ProcUser | coalesce (ProcUserExpanded, ProcUser) . |
String | Domain\JohnDoe | Splunk data model | |
User | ProcUser . |
String | Domain\JohnDoe | Splunk data model | |
TimestampMs | _time * 1000. |
Number | Ms | 1585913547467 | Splunk data model |