Splunk Events and Source Types

This page lists the field names and source types for each type of event generated by uberAgent.

Application

Usage

Source type:
uberAgent:Application:ApplicationUsage
Field list:
AppName, UserName, AppVersion, RemotingClientName
Enabled through configuration setting:
ApplicationUsage

Inventory

Source type:
uberAgent:Application:ApplicationInventory
Field list:
DisplayName, DisplayVersion, Publisher, InstallDate, Language, IsMsiPackage, IsMachineInstall, InstallLocation
Enabled through configuration setting:
ApplicationInventory

Errors

Source type:
uberAgent:Application:Errors
Field list:
ErrorType, ProcName, ProcPath, ProcVersion, ProcTimestamp, ModuleName, ModulePath, ModuleVersion, ModuleTimestamp, ProcID, ProcLifetimeMs, ExceptionCode, FaultOffset, AppPackageFullName, AppPackageRelativeId, AppId, ProcUser, SessionGUID, ProcGUID, AppVersion
Enabled through configuration setting:
ApplicationErrors

Miscellaneous

Source type:
uberAgent:Application:AppNameIdMapping
Field list:
AppName, AppId
Enabled through configuration setting:
ProcessDetailTop5 or ProcessDetailFull
Source type:
uberAgent:Application:UIDelay
Field list:
AppId, AppVersion, ProcessName, ProcessId, UIDelayMs, User, SessionGUID, HasFocus
Enabled through configuration setting:
ApplicationUILatency

Browser (Internet Explorer)

Source type:
uberAgent:Application:BrowserPerformanceIE
Field list:
ProcID, ProcType, URL, CPUTimeMs, CPUPercent, IOPS, IOCount, IOMB, IOLatencyMs, WorkingSetMB, NetKBPS
Enabled through configuration setting:
BrowserPerformanceIE

Browser (Chrome)

Source type:
uberAgent:Application:BrowserPerformanceChrome
Field list:
ProcUser, ProcType, CPUTimeMs, CPUPercent, IOPS, IOCount, IOMB, IOLatencyMs, WorkingSetMB, NetKBPS
Enabled through configuration setting:
BrowserPerformanceChrome

Citrix XenApp/XenDesktop Site

Source type:
uberAgent:Citrix:Applications
Field list:
Id, Name, PublishedName, SiteName, SiteGuid, DesktopGroupId, DesktopGroupName, ApplicationType, Enabled, AdminFolder, LifecycleState, CreatedDate, ModifiedDate, Tags
Enabled through configuration setting:
CitrixDCApplication
Source type:
uberAgent:Citrix:Catalogs
Field list:
Id, Name, SiteName, SiteGuid, LifecycleState, ProvisioningType, PersistentUserChanges, IsMachinePhysical, AllocationType, SessionSupport, ProvisioningSchemeId, CreatedDate, ModifiedDate
Enabled through configuration setting:
CitrixDCCatalog
Source type:
uberAgent:Citrix:Databases
Field list:
SiteName, SiteGuid, DataStore, IntegratedSecurity, MirrorServerAddress, Name, ServerAddress
Enabled through configuration setting:
CitrixDCGeneralInformation
Source type:
uberAgent:Citrix:DesktopGroups
Field list:
Id, Name, SiteName, SiteGuid, IsRemotePC, DesktopKind, LifecycleState, SessionSupport, DeliveryType, Tags, CreatedDate, ModifiedDate
Enabled through configuration setting:
CitrixDCDesktopGroup
Source type:
uberAgent:Citrix:Hypervisors
Field list:
Id, Name, SiteName, SiteGuid, LifecycleState
Enabled through configuration setting:
CitrixDCHypervisor
Source type:
uberAgent:Citrix:Licenses
Field list:
SiteName, SiteGuid, LicenseServer, LicenseProductName, LicenseEdition, LicenseExpirationDate, LicenseSubscriptionAdvantageDate, LicenseType, LicenseTypeLocalized, LicensesInUse, LicensesAvailable, LicenseOverdraft, LicenseModel
Enabled through configuration setting:
CitrixDCLicenseInformation
Source type:
uberAgent:Citrix:Machines
Field list:
Id, Sid, Name, NameHost, SiteName, SiteGuid, EffectiveLoadIndex, DnsName, LifecycleState, IPAddress, HostedMachineId, HostingServerName, HostedMachineName, IsAssigned, IsInMaintenanceMode, IsPendingUpdate, AgentVersion, AssociatedUserFullNames, AssociatedUserNames, AssociatedUserUPNs, CurrentRegistrationState, RegistrationStateChangeDate, LastDeregisteredCode, LastDeregisteredDate, CurrentPowerState, CurrentSessionCount, ControllerDnsName, PoweredOnDate, PowerStateChangeDate, FunctionalLevel, FailureDate, WindowsConnectionSetting, IsPreparing, FaultState, CatalogId, DesktopGroupId, HypervisorId, Hash, MachineRole, HypervisorDisplayName, CatalogDisplayName, DesktopGroupDisplayName, CreatedDate, ModifiedDate, Tags
Enabled through configuration setting:
CitrixDCMachine
Source type:
uberAgent:Citrix:PublishedDesktops
Field list:
Id, Name, PublishedName, SiteName, SiteGuid, DesktopGroupId, DesktopGroupName, BrowserName, ColorDepth, Description, Enabled, ExcludedUserFilterEnabled, ExcludedUsers, IncludedUserFilterEnabled, IncludedUsers, LeasingBehavior, RestrictToTag, SecureIcaRequired, SessionReconnection, Tags
Enabled through configuration setting:
CitrixDCPublishedDesktops

Computer Startup (System Boot)

Source type:
uberAgent:OnOffTransition:BootDetail
Field list:
KernelInitTimeMs, SmssInitTimeMs, AutoCheckTimeMs, Session0InitDurationMs, Session1InitDurationMs, WininitInitDurationMs, WinlogonInitDurationMs, AutostartServicesMs, ComputerStartupMs, MainPathBootTimeMs, PostBootTimeMs, TotalBootTimeMs, BootUID
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:BootProcessDetail
Field list:
ProcessName, ProcessIOReadCount, ProcessIOWriteCount, ProcessIOReadMB, ProcessIOWriteMB, ProcessIOLatencyMs, BootUID
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:BootProcesses
Field list:
ProcName, ProcID, ProcParentID, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, SessionID, TotalBootDurationMs, SortOrder, BootUID
Enabled through configuration setting:
BootDetail

Machine

Performance and Utilization

Source type:
uberAgent:System:GpuUsage
Field list:
DisplayAdapterName, MemorySharedMB, MemoryDedicatedMB, MemorySharedPercent, MemoryDedicatedPercent, ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0, ComputeUsagePercentEngine1, ComputeUsagePercentEngine2, ComputeUsagePercentEngine3, ComputeUsagePercentEngine4, ComputeUsagePercentEngine5, ComputeUsagePercentEngine6, ComputeUsagePercentEngine7, ComputeUsagePercentEngine8, ComputeUsagePercentEngine9, ComputeUsagePercentEngine10, ComputeUsagePercentEngine11, MemorySharedSizeMB, MemoryDedicatedSizeMB
Enabled through configuration setting:
GpuUsage
Source type:
uberAgent:System:SmbClient
Field list:
SharePath, IOPSRead, IOPSWrite, IOPSMetadata, IOCountRead, IOCountWrite, IOCountMetadata, IOMBRead, IOMBWrite, IOLatencyMsRead, IOLatencyMsWrite
Enabled through configuration setting:
SMBClientSharePerformance
Source type:
uberAgent:System:SystemPerformanceSummary
Field list:
CPUUsagePercent, RAMUsagePercent, RAMUsageGB, IOPSRead, IOPSWrite, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyMsRead, IOLatencyMsWrite, IOPercentDiskTime, NetUtilizationPercent, KernelPagedMB, KernelNonPagedMB, HandleCount, ThreadCount, IdlenessPercent
Enabled through configuration setting:
SystemPerformanceSummary

Errors

Source type:
uberAgent:System:Bugcheck
Field list:
BugcheckCode, BugcheckParameter1, BugcheckParameter2, BugcheckParameter3, BugcheckParameter4, SleepInProgress, PowerButtonTimestamp, PowerButtonTimestampEpoch, BootAppStatus, Checkpoint, ConnectedStandbyInProgress, SystemSleepTransitionsToOn, CsEntryScenarioInstanceId
Enabled through configuration setting:
ApplicationErrors

Inventory

Source type:
uberAgent:System:DiskInventory
Field list:
Name, Enumerator, DiskNumber, CapacityMB, IsWritable, IsRemovable
Enabled through configuration setting:
MachineInventory
Source type:
uberAgent:System:MachineInventory
Field list:
OsName, OsSpName, OsVersion, OsBuild, OsArchitecture, OsSpVersion, OsType, OsInstallDate, HwManufacturer, HwModel, HwBiosVersion, AdDomainDns, AdDomainNetBios, AdSite, AdOu, ComputerNameDn, ComputerNameCanonical, CtxFarmName, CtxMachineCatalogName, CtxDeliveryGroupName, Ipv4Address, NetworkAdapterName, NetworkAdapterDescription, RAMSizeGB, PowerSupportsConnectedStandby, PowerSupportsS1, PowerSupportsS2, PowerSupportsS3, PowerSupportsS4, PowerSupportsS5, IsUpsPresent, IsBatteryPresent, BatteryWearLevelPercent, CPUName, CPUSockets, CPUCoresPhysical, CPUCoresLogical, CPUMaxMhz, HwIsVirtualMachine
Enabled through configuration setting:
MachineInventory
Source type:
uberAgent:System:MonitorInventory
Field list:
MonitorIndex, MonitorHRes, MonitorVRes, MonitorColorDepth, MonitorIsPrimary, MonitorDisplayName
Enabled through configuration setting:
MachineInventory
Source type:
uberAgent:System:VolumeInventory
Field list:
Guid, DeviceName, Label, FileSystem, MountPoints, DiskNumbers, FreeMB, CapacityMB, UsedSpacePercent, PartitionStyle, IsSystemVolume, IsBootVolume, IsDirty
Enabled through configuration setting:
MachineInventory

Microsoft Outlook

Source type:
uberAgent:Application:OutlookPluginLoad
Field list:
Name, ProgID, GUID, LoadBehavior, HKLM, BootTimeMs
Enabled through configuration setting:
OutlookPerformanceEvents

Network Target

Performance

Source type:
uberAgent:Process:NetworkTargetPerformance
Field list:
ProcName, ProcUser, NetTargetRemoteAddress, NetTargetRemoteName, NetTargetRemotePort, NetTargetSendCount, NetTargetReceiveCount, NetTargetConnectCount, NetTargetSendKBPS, NetTargetReceiveKBPS, NetTargetSendMB, NetTargetReceiveMB, NetTargetSendLatencyMs, NetTargetProtocols, NetTargetSendLatencyCount, AppId, NetTargetReconnectCount, NetTargetRetransmitCount, AppVersion
Enabled through configuration setting:
NetworkTargetPerformanceProcess

Errors

Source type:
uberAgent:Application:NetworkConnectFailure
Field list:
AppId, AppVersion, ProcessName, ProcessId, User, SessionGUID, NetTargetRemoteAddress, NetTargetRemoteName, NetTargetRemotePort, NetTargetProtocols
Enabled through configuration setting:
NetworkTargetPerformanceProcess

On/Off Transitions

Delays

Source type:
uberAgent:OnOffTransition:SlowAppStartup
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:SlowAppShutdown
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
ShutdownDetail
Source type:
uberAgent:OnOffTransition:SlowAppStandby
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
StandbyDetail
Source type:
uberAgent:OnOffTransition:SlowServiceStartup
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:SlowServiceShutdown
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
ShutdownDetail
Source type:
uberAgent:OnOffTransition:SlowServiceHybridStandby
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
StandbyDetail
Source type:
uberAgent:OnOffTransition:SlowDriverStartup
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:SlowDriverShutdown
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
ShutdownDetail
Source type:
uberAgent:OnOffTransition:SlowDriverStandby
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs, DeviceFriendlyName
Enabled through configuration setting:
StandbyDetail
Source type:
uberAgent:OnOffTransition:SlowDriverResume
Field list:
Name, FriendlyName, Version, TotalTimeMs, DegradationTimeMs, DeviceFriendlyName
Enabled through configuration setting:
StandbyDetail
Source type:
uberAgent:OnOffTransition:SlowUserPolicy
Field list:
Name, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
BootDetail
Source type:
uberAgent:OnOffTransition:SlowSMSSInit
Field list:
Name, TotalTimeMs, DegradationTimeMs
Enabled through configuration setting:
BootDetail

Shutdown

Source type:
uberAgent:OnOffTransition:ShutdownDetail
Field list:
TotalShutdownTimeMs, UserSessionTimeMs, UserPolicyTimeMs, UserProfilesTimeMs, SystemSessionsTimeMs, PreShutdownNotificationsTimeMs, ServicesTimeMs, KernelTimeMs
Enabled through configuration setting:
ShutdownDetail

Standby/Resume

Source type:
uberAgent:OnOffTransition:StandbyDetail2
Field list:
SleepTime, WakeTime, EnterStandbyMs, ResumeFromStandbyMs, DriverInitDuration, BiosInitDuration, HiberWriteDuration, HiberReadDuration, HiberPagesWritten, Attributes, TargetState, EffectiveState, WakeSourceType, WakeSourceTextLength, WakeSourceText, WakeTimerOwnerLength, WakeTimerContextLength, NoMultiStageResumeReason, WakeTimerOwner, WakeTimerContext
Enabled through configuration setting:
StandbyDetail

Performance Counters

Source type:
uberAgent:System:PerformanceCounter
Field list:
<CounterName>
Enabled through configuration setting:
Performance Counters

Process

Source type:
uberAgent:Process:ProcessDetail
Field list:
ProcName, ProcCPUTimeMs, ProcCPUPercent, ProcIOPSRead, ProcIOPSWrite, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, ProcWorkingSetMB, ProcNetKBPS, ProcUser, ProcGpuComputePercent, ProcGpuMemMB, AppId, AppVersion, ProcID, ProcCmdline, ProcGUID
Enabled through configuration setting:
ProcessDetailTop5 or ProcessDetailFull
Source type:
uberAgent:Process:ProcessStartup
Field list:
ProcName, ProcUser, StartupTimeMs, StartupIOPS, AppId, ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, IsElevated, AppVersion
Enabled through configuration setting:
ProcessStartup
The following fields are empty unless EnableExtendedInfo is set to true:
ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline

Session

Source type:
uberAgent:Session:SessionCount
Field list:
SessionCount
Enabled through configuration setting:
SessionCount
Source type:
uberAgent:Session:SessionDetail
Field list:
SessionID, SessionLogonTime, SessionProtocol, SessionConnectionState, SessionProcessCount, SessionCPUTimeMs, SessionCPUUsagePercent, SessionIOPS, SessionIOCount, SessionIOMB, SessionIOLatencyMs, SessionWorkingSetMB, SessionNetKBPS, SessionUser, SessionGUID, SessionRpLatencyMs, SessionClientMac, SessionClientIp, SessionClientName, SessionClientDomain, SessionClientUser, SessionClientUserDomain, SessionHRes, SessionVRes, SessionColorDepth, SessionClientPlatform, SessionClientVersion, SessionClientOsLanguage, SessionPublishedName, SessionPublishedAppsCtx, SessionAppStateCtx, SessionEncryptionCtx, SessionClientTypeCtx, SessionBrokerDnsVmw, SessionBrokerUrlVmw, SessionBrokerTunneledVmw, SessionBrokerTunnelUrlVmw, SessionBrokerRemoteIpVmw, SessionBrokerUserVmw, SessionBrokerDomainVmw, SessionClientTimezoneVmw, SessionClientIdVmw, SessionTypeVmw, SessionBrokerType, SessionFgAppId, SessionFgAppVersion, SessionFgProcessName, SessionFgProcessId, SessionFgAppUILatencyUs, SessionClientHwIdCtx
Enabled through configuration setting:
SessionDetail

Software Update

Source type:
uberAgent:Application:SoftwareUpdateInventory
Field list:
Guid, DisplayName, ProductName, State, InstallDate
Enabled through configuration setting:
SoftwareUpdateInventory

uberAgent Licensing

Source type:
uberAgent:License:LicenseInfo
Field list:
LicensingState, LicenseId, LicenseCountTotal, LicensingModel, LicensingModelDetail, LicensingType, MaintenanceEnd, Expiration, LicensedComponents, ProductVersion

User Logoff

Source type:
uberAgent:Logoff:GroupPolicyLogoffScriptTimeMs
Field list:
SessionGUID, SessionID, User, GroupPolicyLogoffScriptTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logoff:LogoffPerformance
Field list:
SessionGUID, SessionID, User, ProcessStartCount, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyReadMs, IOLatencyWriteMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Process:LogoffProcesses
Field list:
ProcName, ProcID, ProcParentName, ProcParentID, ProcUser, AppId, AppVersion, LogoffProcType, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcPath, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, ProcNetKBPS, SessionGUID, SessionID, TotalLogoffDurationMs, SortOrder
Enabled through configuration setting:
LogonProcesses
Source type:
uberAgent:Logoff:ProfileUnloadTimeMs
Field list:
SessionGUID, SessionID, User, ProfileUnloadTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logoff:SessionLogoffTime
Field list:
SessionGUID, SessionID, User, SessionLogoffTime
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logoff:TotalLogoffTimeMs
Field list:
SessionGUID, SessionID, User, TotalLogoffTimeMs
Enabled through configuration setting:
LogonDetail

User Logon

Source type:
uberAgent:Logon:ADLogonScriptTimeMs
Field list:
SessionGUID, SessionID, User, ADLogonScriptTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:GroupPolicyProcessingTimes
Field list:
SessionGUID, SessionID, User, GroupPolicyTotalProcessingTimeMs, DcDiscoveryTimeMs, LoopbackMode
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:GroupPolicyCSEDetail
Field list:
SessionGUID, SessionID, User, CseName, CseDurationS, CseGPONames, CseReturnCode
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:GroupPolicyLogonScriptTimeMs
Field list:
SessionGUID, SessionID, User, GroupPolicyLogonScriptTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:LogonPerformance
Field list:
ProcessStartCount, IOCountRead, IOCountWrite, IOMBRead, IOMBWrite, IOLatencyReadMs, IOLatencyWriteMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Process:LogonProcesses
Field list:
ProcName, ProcID, ProcParentName, ProcParentID, ProcUser, AppId, AppVersion, LogonProcType, ProcStartTimeRelativeMs, ProcLifetimeMs, ProcCmdline, ProcPath, ProcCPUTimeMs, ProcIOReadCount, ProcIOWriteCount, ProcIOReadMB, ProcIOWriteMB, ProcIOLatencyReadMs, ProcIOLatencyWriteMs, ProcWorkingSetMB, ProcNetKBPS, SessionGUID, SessionID, TotalLogonDurationMs, SortOrder
Enabled through configuration setting:
LogonProcesses
Source type:
uberAgent:Logon:ProfileLoadTimeMs
Field list:
SessionGUID, SessionID, User, CitrixPMLoadTimeMs, ProfileLoadTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:SessionEnd
Field list:
SessionGUID, SessionID, User, SessionEndTime, SessionDurationMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:ResWmProcessingTimeMs
Field list:
SessionGUID, SessionID, User, ResWmProcessingTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:SessionLogonTime
Field list:
SessionGUID, SessionID, User, SessionLogonTime, PreLogonInitTimeMs, SiteName, LogonServer
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:ShellStartupTimeMs
Field list:
SessionGUID, SessionID, User, ShellStartupTimeMs
Enabled through configuration setting:
LogonDetail
Source type:
uberAgent:Logon:TotalLogonTimeMs
Field list:
SessionGUID, SessionID, User, TotalLogonTimeMs
Enabled through configuration setting:
LogonDetail

Questions?

Do you have questions that were not answered here? Please ask us, we are happy to help!