This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Application & Process Startup Metrics
Process Startup
For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status). If the configuration setting EnableExtendedInfo
is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.
Notes:
- As with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.
- Processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.
- A
fork
orexec
system call can trigger process startup events on macOS. To distinguish between both, see theStartupEventSource
field. - Field:
AppVersion
- uberAgent has an internal filter to minimize data volume by suppressing version information for system processes and system services. As a result, theAppVersion
field is typically empty for most system processes and services.
Details
- Source type:
uberAgent:Process:ProcessStartup
- Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
- Enabled through configuration setting:
ProcessStartup
- Related configuration settings:
[ProcessStartupSettings]
,[ProcessStartupDurationWaitIntervalOverride]
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Measurement type | Platform | Example |
---|---|---|---|---|---|---|
ProcName | Process name. | String | Snapshot | all | chrome.exe | |
ProcUser | Process user. | String | Snapshot | all | Domain\JohnDoe | |
StartupTimeMs | Startup time duration (how long it took the process to initialize). | Number | ms | Sum | Win | 300 |
StartupIOPS | I/O operations per second generated during the process’ startup phase (see StartupTimeMs . |
Number | Count | Win | 150 | |
AppId | Associated application ID. Used by uberAgent to look up the application name and populate the field AppName . |
String | Snapshot | all | GglChrm | |
ProcID | Process ID generated by the OS. Process IDs are reused and cannot be used to uniquely identify a process. Use ProcGUID for that purpose instead. |
Number | Snapshot | all | 456 | |
ProcParentID | Parent process ID (also see ProcID ). |
Number | Snapshot | all | 789 | |
SessionID | Session ID generated by the OS. Session IDs are reused and cannot be used to uniquely identify a session. Use SessionGUID for that purpose instead. macOS: for consistency with Windows all non-user sessions are assigned to a fictitious system session 0. |
Number | Snapshot | all | 3 | |
ProcGUID | Unique identifier for a process instance that is generated by uberAgent. | String | Snapshot | all | 00000000-ebe5-469c-63ae-f5a1de28d401 | |
SessionGUID | Unique identifier for a session that is generated by uberAgent. | String | Snapshot | Win | 00000002-f295-9109-e7c7-c964011dd401 | |
ProcParentName | Parent process name. | String | Snapshot | all | powershell.exe | |
ProcPath | Full path to the process executable in the file system. | String | Snapshot | all | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
ProcCmdline | The process’ command line. | String | Snapshot | all | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com | |
StartupEventSource | Indicates if the startup event was generated by a fork (1) or exec (2) call. |
String | Snapshot | macOS | 1 | |
IsElevated | Indicates if the process is elevated (has admin rights). | String | Snapshot | all | 1 | |
AppVersion | Associated application version. | String | Snapshot | all | 67.0.3396.99 | |
ProcParentGUID | Unique identifier of the parent process (the parent’s ProcGUID ). |
String | Snapshot | all | 00000000-ebe5-469c-54ae-f5a1de28d401 | |
IsProtected | Indicates whether the process is protected (PsProtectedTypeProtected ) or protected light (PsProtectedTypeProtectedLight , PPL). |
String | Snapshot | Win | 1 | |
HashMD5 | MD5 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm . |
String | Snapshot | Win | 7FFE122B109F1B586DEA2ED0F406E952 | |
HashSHA1 | SHA1 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm . |
String | Snapshot | Win | 26DBC241A37881072689CD05C70489C2CDFB562A | |
HashSHA256 | SHA256 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm . |
String | Snapshot | Win | 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC | |
HashIMP | Import-table hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm . |
String | Snapshot | Win | 188392D5FBCC485811BB54211E4D2978 | |
SignatureStatus | Authenticode signature status. Can be 0 , 1 , 2 , 3 , 4 , 5 , 6 or 7 . See also SignatureStatusDisplayName (requires ESA). |
String | Snapshot | Win | 1 | |
IsSignedByOSVendor | Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. | String | Snapshot | All | 1 | |
SignerName | Authenticode signer name (requires ESA). | String | Snapshot | Win | Microsoft Windows | |
CdHash | Hash of the code directory of a signed executable (requires ESA). Configurable via setting EnableCdHash . |
String | Snapshot | macOS | 24e4b80198b220e4a0ea87d33bf72af22576722c |
Notes
- The following fields are empty unless
EnableExtendedInfo
is set to true:ProcID
,ProcParentID
,SessionID
,ProcGUID
,SessionGUID
,ProcParentName
,ProcPath
,ProcCmdline
,ProcParentGUID
. - The maximum supported timer
Interval
for theProcessStartup
metric is300000
(5 minutes).
List of Calculated Fields
Field | Description | Data type | Unit | Measurement type | Where available | Example |
---|---|---|---|---|---|---|
User | Alias for ProcUser . |
String | Snapshot | Splunk data model | Domain\JohnDoe | |
StartupTimeS | Startup time duration. | Number | s | Sum | Splunk data model | 0.3 |
StartupIOCount |
StartupIOPS * StartupTimeMs / 1000. |
Number | Sum | Splunk data model | 45 | |
AppName | Associated application name. | String | Snapshot | Splunk data model, Splunk SPL | Google Chrome | |
SignatureStatusDisplayName | Possible values: Unknown , Ok , Revoked , Expired , InvalidHash , UntrustedRoot , TrustedRootNotInCA and Error . |
String | Snapshot | Splunk data model | Ok |
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.