Skip to main content

Application and Process Startup Metrics

Process Startup

For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status). If the configuration setting EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.

Notes:

  • As with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.
  • Processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.

Details

  • Source type: uberAgent:Process:ProcessStartup
  • Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
  • Enabled through configuration setting: ProcessStartup
  • Related configuration settings: [ProcessStartupSettings], [ProcessStartupDurationWaitIntervalOverride]

List of Fields in the Raw Agent Data

Field Description Data type Unit Measurement type Platform Example
ProcName Process name. String Snapshot all chrome.exe
ProcUser Process user. String Snapshot all Domain\JohnDoe
StartupTimeMs Startup time duration (how long it took the process to initialize). Number ms Sum Win 300
StartupIOPS I/O operations per second generated during the process’ startup phase (see StartupTimeMs. Number Count Win 150
AppId Associated application ID. Used by uberAgent to look up the application name and populate the field AppName. String Snapshot all GglChrm
ProcID Process ID generated by the OS. Process IDs are reused and cannot be used to uniquely identify a process. Use ProcGUID for that purpose instead. Number Snapshot all 456
ProcParentID Parent process ID (also see ProcID). Number Snapshot all 789
SessionID Session ID generated by the OS. Session IDs are reused and cannot be used to uniquely identify a session. Use SessionGUID for that purpose instead. Number Snapshot all 3
ProcGUID Unique identifier for a process instance that is generated by uberAgent. String Snapshot all 00000000-ebe5-469c-63ae-f5a1de28d401
SessionGUID Unique identifier for a session that is generated by uberAgent. String Snapshot Win 00000002-f295-9109-e7c7-c964011dd401
ProcParentName Parent process name. String Snapshot all powershell.exe
ProcPath Full path to the process executable in the file system. String Snapshot all C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ProcCmdline The process’ command line. String Snapshot all C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com
IsElevated Indicates if the process is elevated (has admin rights). String Snapshot all 1
AppVersion Associated application version. String Snapshot all 67.0.3396.99
ProcParentGUID Unique identifier of the parent process (the parent’s ProcGUID). String Snapshot all 00000000-ebe5-469c-54ae-f5a1de28d401
IsProtected Indicates whether the process is protected (PsProtectedTypeProtected) or protected light (PsProtectedTypeProtectedLight, PPL). String Snapshot Win 1
HashMD5 MD5 hash of the process executable (requires ESA). String Snapshot Win 7FFE122B109F1B586DEA2ED0F406E952
HashSHA1 SHA1 hash of the process executable (requires ESA). String Snapshot Win 26DBC241A37881072689CD05C70489C2CDFB562A
HashSHA256 SHA256 hash of the process executable (requires ESA). String Snapshot Win 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC
HashIMP Import-table hash of the process executable (requires ESA). String Snapshot Win 188392D5FBCC485811BB54211E4D2978
SignatureStatus Authenticode signature status. Can be 0, 1, 2, 3, 4, 5, 6 or 7. See also SignatureStatusDisplayName. Requires ESA. String Snapshot Win 1
IsSignedByOSVendor Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. String Snapshot Win 1
SignerName Authenticode signer name (requires ESA). String Snapshot Win Microsoft Windows

Notes:

  • The following fields are empty unless EnableExtendedInfo is set to true: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, ProcParentGUID.
  • The maximum supported timer Interval for the ProcessStartup metric is 300000 (5 minutes).

List of Calculated Fields

Field Description Data type Unit Measurement type Where available Example
User Alias for ProcUser. String Snapshot Splunk data model Domain\JohnDoe
StartupTimeS Startup time duration. Number s Sum Splunk data model 0.3
StartupIOCount StartupIOPS * StartupTimeMs / 1000. Number Sum Splunk data model 45
AppName Associated application name. String Snapshot Splunk data model, Splunk SPL Google Chrome
SignatureStatusDisplayName Possible values: Unknown, Ok, Revoked, Expired, InvalidHash, UntrustedRoot, TrustedRootNotInCA and Error. String Snapshot Splunk data model Ok

Comments

Your email address will not be published. Required fields are marked *