Other versions

Using the results grid

In the results grid, an answer row is an aggregation of the computers that responded with the data shown. The Count column shows the number of Tanium™ Clients with that answer.

Figure  1:  Results grid

The grid displays the first 100 answer rows. You can change the number of rows in user preferences. Go to the logged in user link in the upper right corner, and select Preferences to display the configuration page.

Enabling/disabling live updates

As results come in, Live Updates in the results grid toolbar shows the percent of Tanium Clients that have reported results.

Click the pause button to pause updates to the grid.
Click the play button to resume updates to the grid.

Even when 100% of Tanium Clients have reported, you might see answer rows that seem to indicate incomplete results.

[no results]

Indicates that the Tanium Client was instructed to answer but does not have a value that matches the sensor filter. This can be expected when a filter is applied to the get clause and not the from clause. For example, if the question is formed with the syntax Get IP Address ending with 2 from all machines, all machines would report answers and all machines that did not have IP address ending in 2 would report no results. It is better to put the filter in the from clause. For example, Get IP Address from all machines where IP Address ends in 2 would not return unexpected "no results" rows. You might also see [no results] if the sensor does not return a value, or the sensor was unable to execute the script.

[Current Result Unavailable]

If it takes the client longer than usual to evaluate a sensor, it might pass "current result unavailable" to its peer. The sensor process continues on the client, and when it is complete, the client sends its updated answer. The results grid is then updated.

[Results Currently Unavailable]

Indicates an answer cannot be parsed correctly by the Tanium Server. If this occurs, contact your technical account manager (TAM).

Managing rows and columns

Filter results

Use the filter controls to display only rows that match the specified criteria.

Filter by Text

Filters the results grid without reissuing the question. Select the Contains or Does not contain operator, specify a search string, and click the search icon.

Filter by Computer Group

Issue a new question with the added filter. Select from the wildcard groups All Computers, No Computers, configured computer groups, and the special Ad Hoc Filter. The Ad Hoc filter is a one-time only filter. The Ad Hoc filter configuration is not saved.

To create an ad hoc filter:

  1. Select Create Ad Hoc Filter from the Filter by Computer Group drop-down list.

    Interact displays the Group Builder dialog box.

  2. Use one of the tabs to create a filter and then click Apply.

    The Filter Bar tab includes a natural language parsing search box that helps you build a valid filter expression.

    The Filter Builder tab includes fields that enable you to add a filter, apply it, and issue the resulting question. The question is always Get computer name and IP address from all machines with the filter added to the from clause.

    The Manual List tab includes fields that enable you to specify a list of computers by hostname or IP address.

Sort results and select columns to view

In column headers, click the menu icon to display the menu for sorting rows and showing/hiding columns.

Figure  2:  Grid row/column controls
Click the Clear Sort button to clear sorting criteria.

Viewing charts

The results grid is the default view. You can use the View button bar in the upper right corner to toggle to a pie chart or bar chart.

Mouse over a pie slice or bar to display the result string and count. If the result count is less than 3 % of the total, it is included in the Other group.

Figure  3:  Pie chart

Figure  4:  Bar chart

Exporting and copying results

Use the Copy Table icon to copy the results to the clipboard in text format. This action copies the complete results, not just the results displayed on the results grid.
Use the Export Table icon to export the results to a .csv file. This action exports the complete results, not just the results displayed on the results grid.
Select one or more rows and use the More selector to copy or export only the selected rows.

You can use keyboard and mouse action combinations to copy the contents of grid cells from most grids in the Tanium Console, including the results grid. On Windows, press the Alt key and left click in the grid cell. On MacOS, press the Option key and click in the grid cell. A blue toast message notifies you that the cell contents has been copied to the clipboard.

Merging questions

Results often lead to additional questions. For example, let's say you originally ask for a list of computer names and running processes, and you see results that indicate a suspicious process is running on a few machines. You can merge the question with another to learn more—for example, the last logged-in user. The result of the merge is a results grid with one or more additional columns that have data for the added sensor.

To merge questions:

  1. Click Merge in the upper right corner of the results grid toolbar.

    Interact displays the Select Merge Questions dialog box.

  2. Use one of the tabs to add one or more questions and then click the red Merge button.
  3. The Saved Questions tab includes a list of saved questions for which you have Read Saved Question permission.

    The Create a Question tab includes fields that enable you to start a new question.

    The Build a Question tab includes fields that enable you to select sensors for the merge question.

    Notice that you add additional sensors to the "get" clause but you do not add filters to the "from" clause. The from clause is built from the rows that were selected on the results grid when you clicked Merge.

Using drill down

From the results grid, you can drill down from selected results to retrieve additional information from the selected endpoints. By adding a drill-down question, you are essentially adding sensor filters. You often will want to do this when you are targeting a narrow group of computers for an action. For example, let's say you originally ask for a list of chassis types and operating systems. You can drill down from these results to the list of computer names for the matching records.

To drill down:

  1. Select one or more rows in the results grid. When you select rows, the red Drill Down, Deploy Action, and More buttons are displayed.
  2. Click Drill Down.

    Interact displays the Select Drilldown Question dialog box.

    The Saved Questions tab includes a list of saved questions for which you have Read Saved Question permission.

    The Create a Question tab includes fields that enable you to start a new question.

    The Build a Question tab includes fields that enable you to select sensors for a drill-down question.

  3. Select or configure a question you want to use and then click the red Drill Down button.
  4. Interact displays the progression of results, including a new results grid for the drill-down question. From here, you can drill down further, deploy an action, save the question, or copy it to the Question Bar or Question Builder for further refinement.

Using deploy action

You use filtering, merging, and drill-down techniques to find the set of computers that are due for administrative action. Then, in the results grid, you can select the targeted computers and launch the Deploy Action workflow page.

Do not deploy an action unless you completely understand the scope of the action, you understand the impact on an individual target and the impact on the environment given the number of targets, and you have been authorized by your organization to perform the action. Some organizations require review and approval by a second administrator. For information about enabling and using the action approval feature, see Action Approval.

Role requirements

You must be assigned a role with Write Action permission to see the Deploy Action button on the results grid. The packages available are determined by Read Package content set permissions. When you deploy an action, the Tanium Server uses special saved questions to track action status and report action status within the deploy action workflow. To complete the workflow, you also need the Read Sensor and Read Saved Question permissions on the Reserved content set.

Deploy an action

  1. In the results grid, select the rows of interest and click Deploy Action.

    Interact displays the Deploy Action workflow page.

  2. Use the Deployment Package search box typeaheads to select packages.

    Alternatively, you can use the Browse Packages dialog box to review package descriptions and then select them.

  3. Complete the Action Details section.
    NameSpecify a configuration name. The name appears in the record for the action on the Scheduled Actions, Action History, and Action Approval pages.
    DescriptionOptional. A description helps other administrators understand the purpose of the configuration object.
    TagsOptional. Tags are name-value pairs. Use the controls to add tags.

  4. Complete the Schedule Deployment section.
    Start at / End at

    Optional. You can specify a start time when it is important that the action be deployed to targeted clients during a maintenance window. The time refers to the Tanium Server system clock. The system clock is the Coordinated Universal Time (UTC) for the Tanium Server host system, not the Tanium Client host systems. For example, if you specify the action to run at 1:00 am, it is deployed when the Tanium Server system clock time is 1:00 am. Note the following behavior:

    • If a start time is not specified, the action is issued immediately upon completion of the deploy action workflow.
    • If a start time is not specified, and action approval is enabled, the action will be issued immediately after it is approved, provided other action conditions do not preclude it from being issued.
    • If a start time is specified, and action approval is enabled, the action will be issued at the next start time following the approval. For example, if you set the action to be deployed at 1:00 am and to be reissued every day, and it is approved at 2:00 am, the action will be deployed the next day at 1:00 am.

    We recommend you specify an end date/time if the scheduled action is configured to be reissued, unless you are sure it is the type of action that should be reissued indefinitely. If you are not sure, configuring the schedule to end in six months is better than having it run indefinitely.

    Distribute over

    Tanium Server distributes packages to Tanium Clients in batches. This option randomizes the distribution over the specified duration to avoid spikes in network or other resource utilization. For example, if an action depends on a sensor that queries Active Directory, an action that is not distributed over time can cause a flood of traffic to the Active Directory server. Similarly, an action that targets clients in a virtual machine farm could exhaust the shared CPU or memory resources if all clients were to run a resource-intensive program at the same time. The "distribute over time" option attenuates the impact a massive orchestration might have on the networked environment or virtualized environment.

    Specify a number and unit: Minutes, Hours, Days.

    Reissue every

    Use this option to put the scheduled action on a repeat schedule. This option is appropriate:

    • when action approval is enabled and you are not certain it will be approved before the action expires.
    • when you want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window defined by the interval you specify.
    • when the action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

    Specify a number and unit: Minutes, Hours, Days.

    Note: The Reissue every interval must be greater than the action expiration period. The action expiration period is the larger result from the following calculations:

    • The package Command Timeout + Download Timeout values
    • The package Command Timeout + the scheduled action Distribute over value

  5. Complete the Targeting Criteria section and click Show preview to continue.
  6. Review the preview details and click Deploy Action.

    You are prompted to review the impact on targets and to provide administrator credentials.

  7. Enter your password.
  8. The page reloads to display the Action Summary page.

  9. Review the status to confirm expected results.

The Deploy Action workflow creates a scheduled action configuration object, and the action is entered on the Scheduled Actions, Action History, and (if applicable) Action Approval pages in the Tanium Console. For details, see Managing actions.

Last updated: 2/28/2018 3:15 PM | Feedback