uberAgent

User Logoff Metrics

Logoff Detail

uberAgent collects various details about logoffs like profile unload time, Group Policy logoff script time as well as process performance.

Notes:

  • Field: AppVersion - uberAgent has an internal filter to minimize data volume by suppressing version information for system processes and system services. As a result, the AppVersion field is typically empty for most system processes and services.

Details

  • Source type: uberAgent:Logoff:LogoffDetail
  • Used in dashboards: User Logoff Duration, Single Logoff
  • Enabled through configuration setting: LogonDetail
  • Related configuration settings: n/a
  • Supported platform: Windows

List of Fields in the Raw Agent Data

Field Description Data type Unit Measurement type Example
SessionGUID Unique identifier that is generated by uberAgent when the session is created. Valid for this session only. String   Snapshot 00000002-f295-9109-e7c7-c964011dd401
SessionID Unique identifier that is generated by the machine when the session is created. Will be reassigned to other sessions after logoff. Number   Snapshot 3
User User name. String   Snapshot Domain\JohnDoe
SessionLogoffTime Time when the user logged off. String   Snapshot 2018-07-23 10:06:02
SessionEndTime Time when the session ended. String   Snapshot 2018-07-23 10:08:02
SessionDurationMs Session duration. Number ms Sum 25000
ProfileUnloadTimeMs2 User profile unloading time. Number ms Sum 300
GroupPolicyLogoffScriptTimeMs Group Policy logoff script processing time. Number ms Sum 358
TotalLogoffTimeMs Logoff duration combined for all phases. Number ms Sum 40000
ProcessStartCount Number of processes started. Number   Count 8
IOCountRead Count of read I/O operations. Number   Count 100
IOCountWrite Count of write I/O operations. Number   Count 100
IOMBRead Amount of read data volume. Number MB Sum 50
IOMBWrite Amount of write data volume. Number MB Sum 50
IOLatencyReadMs I/O read operation duration divided by count of read I/O operations. Number ms Average 358
IOLatencyWriteMs I/O write operation duration divided by count of write I/O operations. Number ms Average 358

Logoff processes

Detailed performance data about all processes active during user logoff like process start time and lifetime duration, commandline, executable path, and CPU footprint.

Details

  • Source type: uberAgent:Process:LogoffProcesses
  • Used in dashboards: Single Logoff
  • Enabled through configuration setting: LogonProcesses
  • Related configuration settings: n/a
  • Supported platform: Windows

List of Fields in the Raw Agent Data

Field Description Data type Unit Measurement type Example
ProcName Process name. String   Snapshot chrome.exe
ProcID Process ID. Number   Snapshot 456
ProcParentName Parent process name. String   Snapshot PowerShell.exe
ProcParentID Parent process ID. Number   Snapshot 789
ProcUser User who ran the process. String   Snapshot Domain\JohnDoe
AppId Associated application ID. Used by uberAgent to lookup application names and populate field AppName. String   Snapshot GglChrm
AppVersion Associated application version. String   Snapshot 67.0.3396.99
LogoffProcType uberAgent groups processes running during logon into types. Possible values: Other, GP logoff script, Session teardown. String   Snapshot Other
ProcStartTimeRelativeMs Process relative start time. Number ms Snapshot 16764
ProcLifetimeMs Process lifetime. Number ms Sum 73615
ProcCmdline Process command line. String   Snapshot C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com
ProcPath Process path. String   Snapshot C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ProcIOReadCount Process I/O operation read count. Number   Count 2000
ProcIOWriteCount Process I/O operation write count. Number   Count 990
ProcIOReadMB Process I/O operation read data volume. Number MB Sum 100.05
ProcIOWriteMB Process I/O operation write data volume. Number MB Sum 16.06
ProcIOLatencyReadMs2 Process I/O operation read latency. Number ms Average 300
ProcIOLatencyWriteMs2 Process I/O operation write latency. Number ms Average 300
ProcNetKBPS Process generated network traffic. Number KB Sum 19.18
SessionGUID Unique identifier that is generated by uberAgent when the session is created. Valid for this session only. String   Snapshot 00000002-f295-9109-e7c7-c964011dd401
SessionID Unique identifier that is generated by the machine when the session is created. Will be reassigned to other sessions after logoff. Number   Snapshot 3
TotalLogoffDurationMs Total logoff duration. Number ms Sum 40000
SortOrder2 Sort order number to sort the table Boot process performance on the Single Boot dashboard correctly. Number   Snapshot 29

List of Calculated Fields

Field Description Data type Unit Measurement type Where available Example
AppName Associated application name. String   Snapshot Splunk data model, Splunk SPL Google Chrome
SortOrder Sort order number to sort the table Boot process performance on the Single Boot dashboard correctly. Number   Snapshot Splunk data model 29
User Logoff Metrics