Managing question results

Question results overview

After you use Tanium Interact to issue a dynamic question, the Question Results page opens and displays a grid with the answers (results) from endpoints. The page facilitates analyzing the results by providing display options such as live updates, cached results, and filters. You can also use the page to retrieve additional information from endpoints by merging questions and by drilling down into the results.

Each row in the results grid is an aggregation of the endpoints that reported the same answer. For counting questions, the Count column shows the number of Tanium Clients with that answer, as shown in Figure  1 (for details, see Counting and non-counting questions).

When you issue a saved question or a dashboard of questions, the Tanium Console opens the saved question results page or dashboard results page respectively. These pages resemble the Question Results page but have additional options: see Issue a saved question and Issue a dashboard of saved questions.

Figure  1:  Question Results grid

Selecting rows

After you manipulate the grid to show the results that you want, you can deploy actions to the associated endpoints by selecting some or all of the result rows and clicking Deploy Action. For the full procedure, see Deploying actions.

  • You can select up to 100 rows in the grid.
  • To quickly select multiple consecutive result rows for drilling down, copying, exporting, or deploying actions, click the check box in the first row to include, hold down the Shift key, and then click the check box in the last row to include.
  • Click the check box next to the header row to select 100 rows, starting with the first row that displays on the screen. If you already have rows selected, Interact only selects rows to reach the 100 limit. Click the check box again to clear any selected rows.

Enable or disable live updates

The top left of the Question Results grid toolbar shows the percentage of Tanium Clients that reported results. The live updates feature is enabled by default, which means the Tanium Console updates the grid as more Tanium Clients report results.

Click Pause Pause to stop the grid from updating and click Play Play to resume updating.

Even after 100% of Tanium Clients have reported, some answer rows might indicate incomplete results.

[no results]

This result indicates that the Tanium Client was instructed to answer but does not have a value that matches the sensor filter. This occurs if you apply a filter to the get clause and not the from clause. For example, if the question is Get IP Address ending with 2 from all machines, all endpoints return answers and all endpoints without an IP address ending in 2 return[no results]. As a best practice, put the filter in the from clause. For example, Get IP Address from all machines where IP Address ends in 2 would not return unexpected [no results] rows. You might also see [no results] if the sensor does not return a value or cannot execute the script.

[Current Result Unavailable]

If an endpoint takes longer than usual to evaluate a sensor, it might initially supply the answer[current results unavailable] to the answer message that it passes along the linear chain and ultimately to the Tanium Server. However, the sensor process continues on the endpoint after supplying that initial answer and, upon completing the process, the endpoint sends its updated answer. The Tanium Server then updates the Question Results grid.

[Results Currently Unavailable]

This result indicates that the Tanium Server cannot correctly parse an answer. If this occurs, contact your Technical Account Manager (TAM).

Display results for online and offline endpoints

When the Question Results page opens, it initially displays only current results, which are answers from endpoints that were online at the moment you issued the question. However, you can also display recent or cached results that the Tanium Server stored when it queried endpoints that were previously online but are currently offline.

Figure  2:  Current, recent, and cached results

The option to display stored results enables you to have a more complete view of your managed endpoints. For example, to evaluate the security state of both online and offline endpoints, you can display both current and stored results for questions about which endpoints have a critical patch applied or a particular third-party application installed. Click the button for the type of results that you want to display:

  • Current: By default, the grid displays results only from endpoints that are currently online.
  • Recent (saved questions only): In addition to results from online endpoints, this option includes results from offline endpoints if those results still reside on the Tanium Server after the last time the server issued that question. The server stores the results of saved questions for seven days by default. Note that the server associates recent results with specific saved questions, not with sensors. This means that even if multiple saved questions share the same sensor, the results grid might show different recent results for that sensor based on which question you issue and your computer management group permissions. Only users who have the permissions to create saved questions can view recent results.
  • Cached: The grid displays results that the Tanium Server collects by periodically querying all managed endpoints for specific sensors. The option appears only for questions in which all the sensors are registered for collection. The server stores the results for 30 days by default. Because the server saves the results on a per-sensor basis, the grid displays the same results for a particular sensor when you issue any dynamic or saved question that uses that sensor. The grid displays only the most recent collected results. Only users with the Data Collection Registration Write permission can register sensors. For details, see Manage sensor results collection.

For offline endpoints, the best practice is to view Cached results instead of Recent results. For cached results, the Tanium Server more accurately identifies the responding endpoints, allows all users to view the results, and returns results for both dynamic and saved questions.

Filter question results

Use the filter controls in the header of the Question Results grid to display only results that match the criteria you specify.

Figure  3:  Question Results grid filters

The Question Results grid includes multiple grid filters. The Tanium Server combines the filters with a Boolean AND. For example, if you select a computer group filter and also configure an advanced filter, the server combines the logic of both filters.

Use a text filter

Use the Filter By Text field to filter the Question Results grid based on values in any of the grid columns. The Tanium Server filters the grid without reissuing the question. Select the Contains or Does not contain operator, enter a search string, and click Search Search.

Use a computer group filter

After you select an entry in the Filter by Computer Group drop-down, the Tanium Server issues a new question with the added filter. Select All Computers, No Computers, or a user-configured computer group. If the list of computer groups is long, you can use the text filter within the Computer Group drop-down to filter by group name. If you save the question, the question text includes the Computer Group filter but not the text filter within the drop-down.

The Filter by Computer Group drop-down displays only the groups that are available to your user account through assignment or inheritance (management groups) or that are assigned to a content set for which your account has role permissions (filter groups). For details, see Managing computer groups.

Use an advanced filter

Use advanced filters to filter question results based on match conditions, including column values.

  1. In the header of the Question Results grid, click Advanced Filtering.
  2. Click one of the following buttons to add filter conditions:
    • + Add: Add one or more conditions and click Save check mark.
    • + (Group): Select this option to nest a Boolean operator. Use + Add or + (Group) to build the nested expression and then click Save check mark.

    After you click Apply All, the grid refreshes.

Manage row sorting, column visibility, and text wrapping for question results

To sort rows alphabetically or numerically in the Question Results grid based on the values in a specific column, click the column header.

To change which columns are visible in the grid, click Customize Columns Customize Columns in the grid toolbar and select (show) or deselect (hide) the column check boxes.

To toggle text wrapping, click Wrap Wrap Text or Unwrap Unwrap Text in the grid toolbar.

Figure  4:  Question Results grid sorting, column visibility, and text wrapping controls

Export and copy question results

The Question Results page provides several options for copying and exporting the results grid contents. You can export all the results by clicking Export Export at the right side of the grid toolbar. You can also select specific results and click Copy or Export above the grid.

Figure  5:  Copy or export question results

Copy question results to the clipboard

You can copy question results to the clipboard in text format. To include sensor names (displayed in the grid as column headers) in the copied text, see Set Tanium Console user preferences.

  • To copy specific results, select the corresponding check boxes and click Copy.
  • To copy the contents of a grid cell, hover over the cell, click Options Options, and click Copy Cell Value Copy.
  • To copy the contents of a grid cell, press the Alt key (Windows) or Option key (macOS) and click in the grid cell. The Tanium Console then displays a message indicating that the clipboard has a copy of the cell contents. This operation works for most grids in the Tanium Console.

Export question results

You can export question results to a CSV file.

  1. Select one of the following export options:
    • To export specific results, select the corresponding check boxes and click Export.
    • To export the complete results, click Export Export
  2. Enter a File Name for the CSV file.
  3. To include sensor names (grid column headers) in the .csv file, select Include headers in export.

    To set this option as enabled or disabled by default, see Set Tanium Console user preferences.

    If you selected only a subset of the results to export, click Export and skip the remaining steps, which describe options that are available only if you are exporting the complete results.

  4. Select how the CSV file displays results for questions where one sensor generates multiple results for each responding endpoint. As an example, for the question Get Computer Name and High CPU Processes[5] from all machines, the High CPU Processes sensor returns five processes for each endpoint. By default, the file displays one row for all the results that the sensor generated for an endpoint. For the example question, this would mean each row lists all the top five processes for each endpoint (identified by Computer Name).

    To display a row for each result that a sensor generates, select Flatten rows. For the example question, a flattened export results in five rows per endpoint: one row for each process that the High CPU Processes sensor returned. Note that this option works only if just one sensor in the question has multiple results.

    If you select Flatten rows, the Fail on errors check box appears. Selecting Fail on errors causes the export to fail for all results if any result includes multiple columns (sensors) with more than one value. In the example, it would be an error if a single endpoint returned multiple results for both Computer Name and High CPU Processes. By default, Fail on errors is disabled, which means the export proceeds despite such errors. However, the output includes errors without flattening the affected results; the output does not use separate lines to account for multiple columns with multiple values.

  5. Click Export.

Merge questions

Question results often lead to additional questions. For example, the results of a question that returns computer names and running processes might indicate that some endpoints are running a suspicious process. You can merge the initial question with another question to learn more information, such as the last logged-in user. The Tanium Server issues the merge question in the background, and the Tanium Console re-displays the Question Results grid with one or more additional columns containing results for the sensors that the merge question specified.

Merge operations automatically apply to all results. You do not need to select grid rows before merging.

  1. Click Merge Merge on the right side of the Question Results grid toolbar to open the Select Merge Questions dialog.
  2. Use one of the following tabs to add questions and then click Merge:
    • Saved Questions: Lists saved questions that are assigned to content sets for which you have Read Saved Question permission.

      To filter the list so that it includes only saved questions with Visibility is set to Only the Owner and Admins can see this object, select Hide public questions.

    • Create a Question: Enter a question using the same syntax as in the Interact Ask a Question field (see Issue a question through the Ask a Question field).
    • Build a Question: Construct a question using the same fields as in the Interact Question Builder (see Issue a question through the Question Builder).

      Notice that you add sensors to the get clause but you do not add filters to the from clause. The from clause is automatically based on the rows that you selected in the Question Results grid when you clicked Merge.




    After you click Merge, the Question Results grid displays the updated results. The grid header has an Merge Edit button that enables you to modify the merge settings.


Drill down into results

In the Question Results grid, you can drill down into selected results to retrieve more information from the associated endpoints. Adding a drill-down question effectively means using its sensors to filter the selected results. A typical use case is targeting a smaller group of endpoints for an action. For example, you might initially issue a question that returns a list of chassis types and operating systems for all endpoints. To see the identities of endpoints that return specific results, you can drill down into those results with the Computer Name sensor.

  1. In the Question Results grid, select the check boxes of the results for which you want more information. The Drill Down button then appears above the grid.
  2. Click Drill Down to open the Select Drill-down Question dialog.
  3. Use one of the following tabs to specify a drill-down question and then click Drill Down:
    • Saved Questions: Lists saved questions that are assigned to content sets for which you have Read Saved Question permission. By default, the list includes only questions that have the Make this question available for drilldown setting enabled (see Create a saved question). To include questions that do not have the setting enabled, select Show all questions.

      To filter the list so that it includes only saved questions with Visibility is set to Only the Owner and Admins can see this object, select Hide public questions.



    • Create a Question: Enter a question using the same syntax as in the Interact Ask a Question field (see Issue a question through the Ask a Question field).



    • Build a Question: Construct a question using the same fields as in the Interact Question Builder (see Issue a question through the Question Builder).



    After you click Drill Down, Interact displays the progression of results, including a new Question Results grid for the drill-down question. You can then drill down further, deploy an action, save the question, or click Copy to Question Builder for further refinement.



View Asset details for endpoints

Taniumâ„¢ Asset stores numerous details about each endpoint that might be useful for your operational or monitoring activities. For example, you might want to see CPU and storage details about an endpoint before deploying an action to it. If you installed Asset version 1.7 or later and you log into the Tanium Console as a user with the Asset Report Read permission, you can see those details through the Question Results grid without issuing additional questions that consume more bandwidth and processor resources. The grid displays an Asset icon Asset icon for endpoints after you issue a question that includes any of the following sensors:

  • Computer Name
  • Computer ID
  • Tanium Client IP Address
  • Asset Computer Serial Number
  • Asset Primary User Details

To see a summary of the Asset details for an endpoint, click its Asset icon Asset icon in the grid to display the Asset Details popup. If the Asset database has multiple entries for the same endpoint, click the Multiple results found arrows at the top of the popup to find the Asset Details for a specific entry.

Figure  6:  Asset Details
Asset icon in Question Results grid

If you want to see all the Asset details for an endpoint, click View Details in Asset in the Asset Details popup. Asset then opens the Computer Asset report for the endpoint.

Figure  7:  Computer Asset report
Computer Asset report

If the Asset database has multiple entries for the same endpoint, you can click View all result matches in Asset in the Asset Details popup. Asset then opens and displays the All Assets report, filtered for that endpoint. You can then click the Computer Name of each entry to open the corresponding Computer Asset report.

Figure  8:  All Assets report
All Assets report