List of Metrics

uberAgent collects data for the following metrics.

User Logon

Total logon duration. This includes:

  • Shell startup time
  • User profile load time (Microsoft user profile service and Citrix Profile Management)
  • Active Directory logon script processing time
  • Group Policy logon script processing time

Group Policy Processing

uberAgent collects the total Group Policy processing time in addition to the following much more detailed metrics:

  • Domain controller discovery time
  • GPOs applied during logon
  • Processing time for each active client side extension (CSE), both from Microsoft and third parties. This includes:
    • Registry
    • Folder redirection
    • IE branding
    • Offline files
    • Environment variables (preferences)
    • Folder options (preferences)
    • Local users and groups (preferences)
    • Citrix policies
    • Group Policy preferences
    • …and many more

Logon Process Performance

Detailed performance data about all processes active during user logon. For each of those processes uberAgent collects:

  • Process name
  • Process ID
  • Session ID
  • Parent process name
  • Parent process ID
  • Process user account
  • Associated application name
  • Associated application version
  • Process type (e.g. part of the logon script)
  • Process start time
  • Process lifetime duration
  • Commandline
  • Executable path
  • CPU footprint
  • Disk footprint
  • Memory footprint
  • Network footprint

Logon Process Summary

Summary performance data about process activity during user logon:

  • Number of processes started
  • Disk footprint

Related Splunk Events

uberagent-boot-io-count-per-process

Browsers

Internet Explorer

The following metrics are collected per website (URL):

  • CPU usage
  • RAM usage
  • IO count
  • IO volume
  • IOPS
  • IO latency
  • Network throughput

Related Splunk Events

Google Chrome

uberAgent collects performance data per Chrome process type, e.g.:

  • Browser (main process)
  • Tab (rendering process)
  • Extension (running Chrome extensions)
  • GPU (graphics acceleration)
  • Flash (playing Adobe Flash)
  • Java (running Java apps)

Related Splunk Events

Microsoft Office

Outlook

uberAgent collects Outlook plugin load duration and related information:

  • Plugin name, ProgID and GUID
  • Plugin load duration
  • Plugin “load behavior” (state)
  • Whether the plugin is installed per machine or per user

Related Splunk Events

Machine

Machine Performance

The following performance metrics are collected per machine:

  • CPU usage
  • RAM usage
  • GPU model
  • GPU compute usage
  • GPU memory usage
  • Kernel memory usage
  • IOPS (read and write separately)
  • IO volume (read and write separately)
  • IO count (read and write separately)
  • IO latency (read and write separately)
  • Disk utilization in percent
  • Network utilization in percent
  • Number of sessions
  • Number of processes
  • Number of threads
  • Number of handles

Machine Inventory

The following inventory metrics are collected per machine:

  • OS name
  • OS type and architecture
  • OS install date
  • Hardware manufacturer
  • Hardware model
  • BIOS version
  • BIOS version
  • AD domain
  • AD site
  • AD OU
  • AD computer distinguished name
  • Citrix farm name
  • Citrix machine catalog name
  • Citrix delivery group name
  • Primary IP address
  • Primary network adapter name
  • Primary network adapter description

Related Splunk Events

SMB Client Performance

The following inventory metrics are collected per network share the endpoint is connected to:

  • Share path
  • IOPS (read and write)
  • IO count (read and write)
  • IO volume in MB (read and write)
  • IO latency in ms (read and write)

Related Splunk Events

Network Communication

The following metrics are collected per network target and sending/receiving process. A network target is a communication endpoint from the point of view of the machine uberAgent is running on. uberAgent distinguishes between different services on the target machine and can show latencies for, say, SMB and SQL Server independently. Of course uberAgent supports both IPv4 and IPv6!

  • Source process (process sending/receiving data on the machine uberAgent is running on)
  • Target IP address
  • Target name
  • Target port
  • Send count
  • Receive count
  • Connect count
  • Send volume (MB)
  • Receive volume (MB)
  • Send throughput (KB/s)
  • Receive throughput (KB/s)
  • Send latency
  • Send latency count (number of measurements)
  • Protocols used

Related Splunk Events

Session

The following metrics are collected per user session:

  • Session ID
  • Computername
  • Logon time
  • Logoff time
  • Session duration
  • Protocol (ICA, RDP or console)
  • Connection state (e.g. active, disconnected)
  • User and domain
  • CPU usage
  • RAM usage
  • IO count
  • IO volume
  • IOPS
  • IO latency
  • Network throughput
  • ICA/HDX latency
  • Citrix ICA/HDX client information (name, IP address, version, etc.)
  • VMware RDP/PCoIP client information (name, IP address, etc.)
  • Microsoft RDP client information (name, IP address, etc.)
  • Foreground application name
  • Foreground application version
  • Foreground process name
  • Foreground process ID
  • Foreground application UI latency

Related Splunk Events

Applications

Application and Process Startup

The following fields are collected for each application or process that is being launched:

  • Startup duration
  • IOPS during startup
  • Application name
  • Process name
  • User and domain
  • Is the process running elevated (with admin privileges)?

Note: as with all other metrics process startup duration is recorded automatically without requiring any configuration.

If the configuration setting EnableExtendedInfo is enabled, the following metrics are collected, too:

  • Process ID
  • Parent process ID
  • RDS session ID
  • Process GUID (unique ID per process generated by uberAgent)
  • Session GUID (unique ID per RDS session generated by uberAgent)
  • Parent process name
  • Full path to the process executable in the file system
  • Full commandline the process was launched with

Related Splunk Events

Application and Process Performance

The following metrics are collected per application/process:

  • User and domain
  • Process name and ID
  • Process command line (optional)
  • Application name and version
  • CPU usage
  • RAM usage
  • GPU compute usage
  • GPU memory usage
  • IO count (read and write separately)
  • IO volume (read and write separately)
  • IOPS (read and write separately)
  • IO latency (read and write separately)
  • Network throughput
  • Network latency

Note: processes are auto-grouped into applications, i.e. the application name is determined automatically without requiring any configuration. The mechanism can be overridden for specific processes via the configuration file.

Related Splunk Events

Application UI Unresponsiveness

Whenever an application’s user interface is unresponsive for more than a few hundred milliseconds the following information is collected:

  • Application name (even for App-V, Java and modern UI / Metro apps)
  • Application version
  • Process name and ID
  • User and domain
  • Unresponsiveness duration
  • Related user session

Related Splunk Events

Application Crashes and Hangs

For every application error the following information is collected:

  • Application name
  • Process ID, GUID, name, path, version and timestamp
  • Process lifetime
  • User and domain
  • Related user session
  • Faulting module name, path version and timestamp
  • Exception code, fault offset,
  • App package full name and relative ID
  • Error type (crash or hang)

Related Splunk Events

Application Inventory and Usage

  • Application name (even for App-V, Java and modern UI / Metro apps)
  • Application version
  • Number of concurrent users (application usage metering)
  • Number of computers the application is run on
  • Number of (ICA/RDP/PCoIP) remoting clients the application was accessed from
  • Inventory (installation information like name, publisher, version, install date)

Related Splunk Events

Software Update

The following metrics are collected per update:

  • Name
  • Install date

Related Splunk Events

Computer Startup, Shutdown and Hibernation

Computer Startup (Machine Boot)

Computer startup duration includes:

  • Smss initialization
  • Autocheck (checkdisk)
  • Session 0 initialization
  • Session 1 initialization
  • Wininit initialization
  • Winlogon initialization
  • Autostart services

Related Splunk Events

Boot Processes

The following detailed information about each process running during the boot process is collected:

  • Process name, ID and parent ID
  • Relative start time and lifetime
  • Commandline
  • IO count (read and write)
  • IO volume (read and write)
  • IO latency (read and write)
  • Associated user session ID

Related Splunk Events

Other On/Off Transitions

uberAgent records the duration of the following on/off transition events in addition to system boot:

  • Suspend
  • Resume
  • Shutdown

Related Splunk Events

On/Off Transition Delays

uberAgent records which components are responsible for delays during system boot, suspend, resume and shutdown. Components can be drivers, system services or applications. For each delay uberAgent collects:

  • Driver/service/application name
  • Driver/service/application version
  • Total duration
  • Degradation (how much longer it took than normal)

Related Splunk Events

Performance Counters

uberAgent can optionally collect the values of any Windows Performance Counters.

Related Splunk Events

uberAgent Licensing

Information on uberAgent licenses.

Related Splunk Events

Questions?

Do you have questions that were not answered here? Please ask us, we are happy to help!