Machine Blue Screens and Hangs Metrics
Blue Screens and Hangs
uberAgent collects information on every blue screen and hang, like the type of error (blue screen, hard power off or hang) and the stop error code.
Details
- Source type: uberAgent:System:Bugcheck
- Used in dashboards: Stop Errors (Blue Screen & Power Loss)
- Enabled through configuration setting: ApplicationErrors
- Related configuration settings: n/a
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| BugcheckCode | Stop error code ID. Possible values: too many to list here. Please check the lookup file bugcheck_codes.csv or Microsoft’s bug check code reference. | Number | 0x1 | |
| BugcheckParameter1 | Stop error parameter 1. The meaning of this value depends on the bugcheck code and can be looked up in Microsoft’s bug check code reference | String | 0x7ffd8e8c7864 | |
| BugcheckParameter2 | Stop error parameter 2. The meaning of this value depends on the bugcheck code and can be looked up in Microsoft’s bug check code reference | String | 0x1 | |
| BugcheckParameter3 | Stop error parameter 3. The meaning of this value depends on the bugcheck code and can be looked up in Microsoft’s bug check code reference | String | 0x0 | |
| BugcheckParameter4 | Stop error parameter 4. The meaning of this value depends on the bugcheck code and can be looked up in Microsoft’s bug check code reference | String | 0xffffe181ead22b80 | |
| SleepInProgress | Indicates if the machine was in sleep mode when stop error occured. Possible values: 0, 1 | Number | 0 | |
| PowerButtonTimestamp | Indicates if the power button on the computer was pushed and held for at least four seconds. Possible values: 0 or Windows FILETIME timestamp of when the power button was pressed. | Number | 131768171003182508 | |
| PowerButtonTimestampEpoch | Indicates if the power button on the computer was pushed and held for at least four seconds. Possible values: 0 or Unix epoch timestamp of when the power button was pressed. | Number | 1532343500318 | |
| BootAppStatus | n/a | String | 0 | |
| Checkpoint | n/a | Number | 0 | |
| ConnectedStandbyInProgress | Indicates if the machine was in connected standby mode when stop error occured. Possible values: 0, 1 | String | 0 | |
| SystemSleepTransitionsToOn | Indicates if the machine was in the transition from sleep to on mode when stop error occured. Possible values: 0, 1 | Number | 0 | |
| CsEntryScenarioInstanceId | n/a | Number | 0 |
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| BugcheckCodeDisplayName | Stop error code name. Possible values: too many to list here. Please check the lookup file bugcheck_codes.csv or Microsoft’s bug check code reference. | String | Hard power off | Splunk data model |
Interpreting the Data
The data collected by uberAgent helps to identify three different types of blue screens and hangs:
“Normal” Bugcheck
Conditions:
- BugcheckCode > 0
Explanation: the bugcheck code can be determined and written to disk before the computer shuts down or restarts.
Hard Power Off
Conditions:
- PowerButtonTimestamp > 0
Explanation: the machine was turned off by pressing and holding the power button for at least 4 seconds.
Random Restart
Conditions:
- BugcheckCode = 0
- PowerButtonTimestamp = 0
Explanation: power loss or hard hang.
