by: Helge, published: Sep 17, 2014, updated: Mar 26, 2019, in

What’s New in uberAgent 2.0

The most important change in version 2.0 of uberAgent is the new architecture. In addition to that we have made many other improvements, significantly reducing the agent’s footprint while increasing the quality of the collected data.


Most Splunk apps that collect data on monitored endpoints are implemented as so-called Scripted or Modular Inputs. uberAgent 1.x was no exception. Splunk Inputs require a locally installed Splunk Universal Forwarder on the endpoints. The Forwarder is a kind of generic agent that can run arbitrary scripts and forward their output to the Splunk servers, thus the name.

With uberAgent 2.0 Splunk’s Universal Forwarder is not required any more.

Why is that important? For two reasons.

One: Footprint. Size matters a lot when running on clients with only a few gigabytes of RAM. While we invest a lot of time and energy into keeping uberAgent’s resource consumption negligible there is nothing we can do about Universal Forwarder. Compare the numbers: uberAgent RAM usage on a typical PC: 17 MB. Splunk Universal Forwarder RAM: 80 MB. Getting rid of Universal Forwarder gets the RAM footprint of the entire solution from 97 MB down to 17 MB. That is a reduction by 83%!

Two: Startup speed. When a PC boots up and the user logs on immediately you need to already be there if you want to be able to capture information about the logon. Running as its own service uberAgent 2.0 can do that easily. Life as a scripted input was not so easy. First the Universal Forwarder service had to come up. It then took the Forwarder around seven seconds to start uberAgent as a Scripted Input. That was not fast enough for many logons. uberAgent 2.0 is.

Universal Forwarder optionally can still be used.

The key point here is flexibility. uberAgent 2.0 can be configured to send data to a locally installed Forwarder instead of to a Splunk server. That may be useful if you have Universal Forwarder installed on your endpoints anyway. In this configuration all Splunk communications go through the Forwarder, it is the single point of contact. This setup also allows you to SSL-encrypt data in transit, something uberAgent cannot do natively (yet).

uberAgent for Splunk - Process Network Communication

More Good News

Of course uberAgent 2.0 has more improvements than just a changed architecture. In addition to a 15% reduction in data volume (= Splunk license cost) the most interesting things are the new per process network metrics.

uberAgent now tells you for each process which network services it communicates with, how much data is sent/received and what the latency of the connection is. That should make diagnosing backend server slowness quite a bit simpler.

Previous Article Real-World Example: WiX/MSI Application Installer
Next Article VCNRW - Your Friendly Local Virtualization Community