
Saving uberAgent Data to Disk on the Endpoint

Occasionally, you may find yourself in a situation where you need to look at uberAgent’s collected data before it is sent to the configured backend(s). This knowledgebase article shows you how to do that by guiding you through the following steps:

  • Make the required adjustments to your uberAgent configuration.
  • Set up a local TCP listener on the endpoint, which ultimately saves the data to a text file on the local disk.
  • Compare local with backend data.

uberAgent Configuration

Add an additional [Receiver] stanza to your active uberAgent configuration (uberAgent.conf) as follows:

[Receiver] Name = Local TCP Receiver Type = Splunk Protocol = TCP Servers = localhost:19501

This instructs uberAgent to send the data to a local TCP listener on port 19501 - in addition to any other backends you already had configured.

TCP Listener

Download the latest version of the TCP listener script from the uberAgent Support Scripts GitHub repository and save it to a location of your choice on the endpoint. We use C:\Temp\uA-StartTcpReceiver.ps1 here. Start the TCP listener script by running one of the following examples in an elevated PowerShell console.

Example 1

C:\Temp\uA-StartTcpReceiver.ps1 -Port 19501 -TimeoutMinutes 10 -EnableLogging

This starts the TCP listener on port 19501 and saves the received data to C:\Temp\uA-Data.txt. The script automatically stops after 10 minutes. Logging is enabled, and the log file is saved to C:\Temp\uA-StartTcpReceiver.ps1.log.

Example 2

C:\Temp\uA-StartTcpReceiver.ps1 -Port 19501 -TimeoutMinutes 0 -SearchString "sourcetype=uberAgent:Application:Errors" -EnableLogging

This starts the TCP listener on port 19501 and saves the received data to C:\Temp\uA-Data.txt. The script does not stop after a fixed timeout. It stops when the string sourcetype=uberAgent:Application:Errors is found in the received data, meaning an application crash occurred. Logging is enabled, and the log file is saved to C:\Temp\uA-StartTcpReceiver.ps1.log.

Comparing Local With Backend Data

After the TCP listener stops, you can now open the file C:\Temp\uA-Data.txt with your text editor of choice and compare the raw data before it leaves the endpoint with the data that is available in your backend(s). For the sake of this article, we compare the formatting and values of a particular event from the uberAgent:System:SystemPerformanceSummary2 sourcetype.

Local Data

The raw data, as saved locally by the script, looks as follows:

***SPLUNK*** host=VM-WINDOWS11ARM index=uberagent source=uberAgent sourcetype=uberAgent:System:SystemPerformanceSummary2 1694008385925,0.4,32,2.57,0,1,0,29,0,0.3,,0.6,0.1,0,266,124.5,51369,1213,99,100,0.5,7.3,0,0

Please note that this data format uses two lines per event: one line of metadata (which does not count towards the Splunk data volume) and one line of actual event data.

Backend Data

We use the below Splunk search to retrieve the same data as saved locally:

index=uberagent host=VM-WINDOWS11ARM sourcetype=uberAgent:System:SystemPerformanceSummary2 Timestamp=1694008385925

The search gives us an event that is identical to the locally saved data (the metadata has, of course, been processed by Splunk).


So, in this case, everything works as it should.

Saving uberAgent Data to Disk on the Endpoint