0

Split process by TCP connection

Would it be possible to split a process by TCP connection.

Example - windows resource monitor shows outlook.exe having multiple TCP connections with the same process ID. 

I'm stuff I'm interested is

Local TCP port per connection

Remote TCP port per connection

Packet Loss per connection

Latency per connection

Traffic volume per connection

6 comments

  • Avatar
    Helge Klein Official comment

    Hi Peter,

    Please take a look at the "Single Application Performance" dashboard. It lists all network connections of a selected application. As with all the other dashboards it provides powerful filtering capabilities to isolate a specific host, site, etc.

    You can get to the "Single Application Performance" dashboard by drilling down, e.g. from the "Application Network Communication" dashboard: just click the application you are interested in.

    Is this what you were looking for? If not, we could help you build a custom search that presents the data in just the way you need it in.

    Please note that uberAgent collects all the metrics you mentioned with the exception of packet loss.

  • 0
    Avatar
    Peter Mitchell

    Heres what I mean.  Mulitple processes of outlook.exe on a normal desktop (not citrix / RDS).

     

    http://s9.postimg.org/ynxix6d0f/ports_uberagent.png

     

    I searched the uberagent index for the dest IP address and didn't see all the TCP connections.

     

  • 0
    Avatar
    Helge Klein

    Did you take a look at the dashboard "Single Application Performance"?

    Additional info: by default, uberAgent ignores connections with very low activity to reduce the data volume. That, however, can be changed through the configuration option "IgnoreLowActivity".

  • 0
    Avatar
    Julien EGRON

    Hi,

    Ok but I don't find the network connection for a specific user. It seems it miss the user filter on the Single Machine Detail ?

    Julien

  • 0
    Avatar
    Helge Klein

    If you are looking for a specific network connection search for it in the Splunk sourcetype uberAgent:Process:NetworkTargetPerformance. By looking at the event you will be able to see which user is associated.

  • 0
    Avatar
    Julien EGRON

    Find it! Thanks.

    An idea is to add a timestamp on the connections like in a flow. It can be useful if you need to correlate with NPM tools.

Please sign in to leave a comment.