Application & Process Startup Metrics
Process Startup
For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status). If the configuration setting EnableExtendedInfo
is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.
Notes:
- As with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.
- Processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.
Details
- Source type:
uberAgent:Process:ProcessStartup
- Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting:
ProcessStartup
- Related configuration settings:
[ProcessStartupSettings]
,[ProcessStartupDurationWaitIntervalOverride]
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Measurement type | Platform | Example |
---|---|---|---|---|---|---|
ProcName | Process name. | String | Snapshot | all | chrome.exe | |
ProcUser | Process user. | String | Snapshot | all | Domain\JohnDoe | |
StartupTimeMs | Startup time duration (how long it took the process to initialize). | Number | ms | Sum | Win | 300 |
StartupIOPS | I/O operations per second generated during the process’ startup phase (see StartupTimeMs . |
Number | Count | Win | 150 | |
AppId | Associated application ID. Used by uberAgent to look up the application name and populate the field AppName . |
String | Snapshot | all | GglChrm | |
ProcID | Process ID generated by the OS. Process IDs are reused and cannot be used to uniquely identify a process. Use ProcGUID for that purpose instead. |
Number | Snapshot | all | 456 | |
ProcParentID | Parent process ID (also see ProcID ). |
Number | Snapshot | all | 789 | |
SessionID | Session ID generated by the OS. Session IDs are reused and cannot be used to uniquely identify a session. Use SessionGUID for that purpose instead. macOS: for consistency with Windows all non-user sessions are assigned to a fictitious system session 0. |
Number | Snapshot | all | 3 | |
ProcGUID | Unique identifier for a process instance that is generated by uberAgent. | String | Snapshot | all | 00000000-ebe5-469c-63ae-f5a1de28d401 | |
SessionGUID | Unique identifier for a session that is generated by uberAgent. | String | Snapshot | Win | 00000002-f295-9109-e7c7-c964011dd401 | |
ProcParentName | Parent process name. | String | Snapshot | all | powershell.exe | |
ProcPath | Full path to the process executable in the file system. | String | Snapshot | all | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
ProcCmdline | The process’ command line. | String | Snapshot | all | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com | |
IsElevated | Indicates if the process is elevated (has admin rights). | String | Snapshot | all | 1 | |
AppVersion | Associated application version. | String | Snapshot | all | 67.0.3396.99 | |
ProcParentGUID | Unique identifier of the parent process (the parent’s ProcGUID ). |
String | Snapshot | all | 00000000-ebe5-469c-54ae-f5a1de28d401 | |
IsProtected | Indicates whether the process is protected (PsProtectedTypeProtected ) or protected light (PsProtectedTypeProtectedLight , PPL). |
String | Snapshot | Win | 1 | |
HashMD5 | MD5 hash of the process executable (requires ESA). | String | Snapshot | Win | 7FFE122B109F1B586DEA2ED0F406E952 | |
HashSHA1 | SHA1 hash of the process executable (requires ESA). | String | Snapshot | Win | 26DBC241A37881072689CD05C70489C2CDFB562A | |
HashSHA256 | SHA256 hash of the process executable (requires ESA). | String | Snapshot | Win | 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC | |
HashIMP | Import-table hash of the process executable (requires ESA). | String | Snapshot | Win | 188392D5FBCC485811BB54211E4D2978 | |
SignatureStatus | Authenticode signature status. Can be 0 , 1 , 2 , 3 , 4 , 5 , 6 or 7 . See also SignatureStatusDisplayName . Requires ESA. |
String | Snapshot | Win | 1 | |
IsSignedByOSVendor | Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. | String | Snapshot | Win | 1 | |
SignerName | Authenticode signer name (requires ESA). | String | Snapshot | Win | Microsoft Windows |
Notes:
- The following fields are empty unless
EnableExtendedInfo
is set to true:ProcID
,ProcParentID
,SessionID
,ProcGUID
,SessionGUID
,ProcParentName
,ProcPath
,ProcCmdline
,ProcParentGUID
. - The maximum supported timer
Interval
for theProcessStartup
metric is300000
(5 minutes).
List of Calculated Fields
Field | Description | Data type | Unit | Measurement type | Where available | Example |
---|---|---|---|---|---|---|
User | Alias for ProcUser . |
String | Snapshot | Splunk data model | Domain\JohnDoe | |
StartupTimeS | Startup time duration. | Number | s | Sum | Splunk data model | 0.3 |
StartupIOCount | StartupIOPS * StartupTimeMs / 1000. |
Number | Sum | Splunk data model | 45 | |
AppName | Associated application name. | String | Snapshot | Splunk data model, Splunk SPL | Google Chrome | |
SignatureStatusDisplayName | Possible values: Unknown , Ok , Revoked , Expired , InvalidHash , UntrustedRoot , TrustedRootNotInCA and Error . |
String | Snapshot | Splunk data model | Ok |