Application and Process Startup Metrics
uberAgent collects metrics for each application or process that is being launched like startup duration, IOPS during startup as well as if the process was started with admin privileges.
Note: as with all other metrics process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before.
Note: processes are auto-grouped into applications, i.e. the application name is determined automatically without requiring any configuration. Information on how this works are available here.
If the configuration setting
EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full commandline the process was launched with.
- Source type:
- Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting:
- Related configuration settings:
- Supported platform: Windows
|Field||Description||Data type||Unit||Measurement type||Example|
|StartupTimeMs||Startup time duration||Number||ms||Sum||300|
|StartupIOPS||Startup I/O operations per second||Number||Count||150|
|AppId||Associated application ID. Used by uberAgent to lookup application names and populate field
|ProcParentID||Parent process ID||Number||Snapshot||789|
|SessionID||Unique identifier that is generated by the machine when the session is created.
Will be reassigned to other sessions after logoff.
|ProcGUID||Unique identifier that is generated by uberAgent when the process is started||String||Snapshot||00000000-ebe5-469c-63ae-f5a1de28d401|
|SessionGUID||Unique identifier that is generated by uberAgent when the session is created.
Valid for this session only.
|ProcParentName||Parent process name||String||Snapshot||powershell.exe|
|ProcPath||Full path to the process executable in the file system||String||Snapshot||C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|
|ProcCmdline||Full commandline the process was launched with||String||Snapshot||C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com|
|IsElevated||Indicates if the process was started elevated (admin rights)||String||Snapshot||1|
|AppVersion||Associated application version||String||Snapshot||67.0.3396.99|
|ProcParentGUID||Unique identifier of the parent process||String||Snapshot||00000000-ebe5-469c-54ae-f5a1de28d401|
|ProcHash||Hash value of process||String||Snapshot||3D20D4221A46D0C1C6284BA9F09E65C4|
|HashType||The type of the calculated hash||String||Snapshot||1, 2, 3 or 4|
|IsProtected||Indicates whether the process was started protected||String||Snapshot||1|
The following fields are empty unless
EnableExtendedInfo is set to true:
|Field||Description||Data type||Unit||Measurement type||Where available||Example|
|User||Content of field
||String||Snapshot||Splunk data model||Domain\JohnDoe|
|StartupTimeS||Startup time duration||Number||s||Sum||Splunk data model||0.3|
||Number||Sum||Splunk data model||45|
|AppName||Associated application name||String||Snapshot||Splunk data model, Splunk SPL||Google Chrome|
|HashTypeDisplayName||Hash type name. Possible values:
||String||Snapshot||Splunk data model, Splunk SPL||MD5|