Documentation

Contents
Contents
Contents
Contents

Application and Process Startup Metrics

Process Startup

For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status).

Note: as with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.

Note: processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.

If the configuration setting EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.

Details

  • Source type: uberAgent:Process:ProcessStartup
  • Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
  • Enabled through configuration setting: ProcessStartup
  • Related configuration settings: [ProcessStartupSettings], [ProcessStartupDurationWaitIntervalOverride]

List of Fields in the Raw Agent Data

Field Description Data type Unit Measurement type Platform Example
ProcName Process name String Snapshot all chrome.exe
ProcUser Process user String Snapshot all Domain\JohnDoe
StartupTimeMs Startup time duration Number ms Sum Win 300
StartupIOPS Startup I/O operations per second Number Count Win 150
AppId Associated application ID. Used by uberAgent to lookup application names and populate field AppName. String Snapshot all GglChrm
ProcID Process ID Number Snapshot all 456
ProcParentID Parent process ID Number Snapshot all 789
SessionID Unique identifier that is generated by the machine when the session is created.
Will be reassigned to other sessions after logoff.
Number Snapshot all 3
ProcGUID Unique identifier that is generated by uberAgent when the process is started. String Snapshot all 00000000-ebe5-469c-63ae-f5a1de28d401
SessionGUID Unique identifier that is generated by uberAgent when the session is created.
Valid for this session only.
String Snapshot Win 00000002-f295-9109-e7c7-c964011dd401
ProcParentName Parent process name String Snapshot all powershell.exe
ProcPath Full path to the process executable in the file system String Snapshot all C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ProcCmdline Full commandline the process was launched with String Snapshot all C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com
IsElevated Indicates if the process was started elevated (admin rights) String Snapshot all 1
AppVersion Associated application version String Snapshot all 67.0.3396.99
ProcParentGUID Unique identifier of the parent process String Snapshot all 00000000-ebe5-469c-54ae-f5a1de28d401
IsProtected Indicates whether the process was started protected String Snapshot Win 1
HashMD5 MD5 hash of the process executable (requires ESA) String Snapshot Win 7FFE122B109F1B586DEA2ED0F406E952
HashSHA1 SHA1 hash of the process executable (requires ESA) String Snapshot Win 26DBC241A37881072689CD05C70489C2CDFB562A
HashSHA256 SHA256 hash of the process executable (requires ESA) String Snapshot Win 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC
HashIMP Import-table hash of the process executable (requires ESA) String Snapshot Win 188392D5FBCC485811BB54211E4D2978
SignatureStatus Authenticode signature status. Can be 0, 1, 2, 3 or 4. See also SignatureStatusDisplayName. Requires ESA. String Snapshot Win 1
IsSignedByOSVendor Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. String Snapshot Win 1
SignerName Authenticode signer name (requires ESA). String Snapshot Win Microsoft Windows

The following fields are empty unless EnableExtendedInfo is set to true: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, ProcParentGUID
The maximum supported timer Interval for the ProcessStartup metric is 300000 (5 minutes).

List of Calculated Fields

Field Description Data type Unit Measurement type Where available Example
User Content of field ProcUser String Snapshot Splunk data model Domain\JohnDoe
StartupTimeS Startup time duration Number s Sum Splunk data model 0.3
StartupIOCount StartupIOPS * StartupTimeMs / 1000 Number Sum Splunk data model 45
AppName Associated application name String Snapshot Splunk data model, Splunk SPL Google Chrome
SignatureStatusDisplayName Possible values: Unknown, Ok, Revoked, Expired and InvalidHash String Snapshot Splunk data model Ok

Leave a Reply

Your email address will not be published. Required fields are marked *