Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


Process Stop Metrics

Process Stop

uberAgent collects detailed process stop information like the process name, the process lifetime as well as the parent process.

Details

  • Source type: uberAgentESA:Process:ProcessStop
  • Used in dashboards: Process Tree
  • Enabled through configuration setting: ProcessStop
  • Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field Description Data type Unit Platform Example
ProcName Process name. String all svchost.exe
ProcUser Process user. String all domain\JohnDoe
ProcLifetimeMs Process lifetime. Number Ms all 500
AppId Application ID. String all Svc:WdiSystemHost
ProcId Process ID. Number all 12345
ProcParentId Parent process ID. Number all 67890
SessionId Session ID. Number all 2
ProcGUID Process GUID. String all 4b3e3686-7854-4d98-0023-1e0e617bf2e4
SessionGUID Session GUID. String all 00000000-b242-d759-7a63-d686b0ffd501
ProcParentName Parent process name. String all services.exe
ProcPath Process path. String all C:\WINDOWS\System32\svchost.exe
ProcCmdline Process commandline. String all C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
IsElevated Indicates if the process was started elevated (admin rights). String all 1
AppVersion Application version. String all 1.0
ProcParentGUID Parent process GUID. String all d72ceb7e-7851-02ec-005d-139741c4afd6
IsProtected Indicates if the process was started protected. String Win 1
HashMD5 Process hash value in MD5. Configurable via settings EnableCalculateHash and HashAlgorithm. String Win 7FFE122B109F1B586DEA2ED0F406E952
HashSHA1 Process hash value in SHA1. Configurable via settings EnableCalculateHash and HashAlgorithm. String Win 26DBC241A37881072689CD05C70489C2CDFB562A
HashSHA256 Process hash value in SHA256. Configurable via settings EnableCalculateHash and HashAlgorithm. String Win 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC
HashIMP Import-table hash. Configurable via settings EnableCalculateHash and HashAlgorithm. String Win 188392D5FBCC485811BB54211E4D2978
CdHash Hash of the code directory of a signed executable. Configurable via setting EnableCdHash. String macOS 24e4b80198b220e4a0ea87d33bf72af22576722c

List of Calculated Fields

Field Description Data type Unit Example Where available
ProcUser coalesce (ProcUserExpanded, ProcUser). String Domain\JohnDoe Splunk data model
User ProcUser. String Domain\JohnDoe Splunk data model
TimestampMs _time * 1000. Number Ms 1585913547467 Splunk data model

Comments

Your email address will not be published. Required fields are marked *