Analyzing events

A targeted endpoint reports an event after experiencing the conditions that you defined in an event rule in a profile. The Events page displays charts that provide more information about events in your environment.

View the Events page

  1. From the Performance menu, click Events.
  2. Specify the computer group for which you want to see events in the Define Computer Groups field.
  3. Select a time period for the displayed events from the Scope menu:
    • Past day (default value)
    • Past hour
    • Past 4 hours
    • Past 8 hours
    • Past 2 days
    • Past week
  4. If you changed the default values, click Get Results.

The Events page refreshes and displays the events that match the specified parameters.

The Events page displays only events that occurred on endpoints targeted by a profile during the specified Scope. If no events occurred during the specified scope, or no profile is configured to monitor for events of that type, the chart for that event type displays No data to display.

Targeted Endpoint Status

The Targets section displays a high-level overview of the current configuration status of targeted endpoints:

Total Endpoints Targeted

Displays the total number of endpoints that are currently targeted by a profile.

Configured

Displays the total number of endpoints that have the necessary configuration in place for metric collection. They are targeted by a profile and the Performance tools are installed.

Not Configured

Displays the total number of endpoints that do not have the necessary configuration in place for metric collection. They might not be targeted by a profile, or they might be missing the Performance tools.

Click View question results in Interact in this section to open the question results in Taniumâ„¢ Interact. From there, you can drill down into the results to determine which specific endpoints are missing the required configuration or profile.

View all events

Click the All tab in the charts section to display charts with all reported events for the defined computer groups during the time frame that you selected in the Scope parameter. Two charts display that show a summary of the reported events:

Event Rule Breakdown

This chart displays the number of endpoints that reported each type of event: CPU, Memory, Disk, and App Crashes. Each bar in the bar chart is color coded to indicate how many events of that type were reported by each endpoint. For example, the beige portion of the bar indicates the number of endpoints that reported 1-4 events. Hover your mouse over the bar to see a breakdown of the number of events per endpoint. Click a bar in the chart to load the endpoints represented by that piece of the chart.








Endpoint Event Breakdown

This chart displays the total number of events by the number of endpoints. Use this chart to quickly identify the endpoints that are having the most problems in the defined computer group.





View CPU events

Click the CPU tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported CPU events during the selected time frame. These charts are designed to help you find patterns and commonalities among the endpoints that are having issues in your environment. Two charts display that show a summary of the reported events:

Process associated

This chart shows specific processes and the number of CPU events that are associated with each of those processes. The process that consumes the highest amount of CPU for the duration of the event is reported as the process associated with the event.



Consider an example where you create an event rule in a profile to trigger an event if the CPU use is above 90% for longer than 10 minutes. The CPU on an endpoint that is targeted by that profile has CPU usage at 95% for an hour, which generates a performance event. The highest process consumer during that hour was badprocess.exe. Because badprocess.exe was the highest CPU consumer during that event, it is reported as the process that is associated with the event in the chart. If several endpoints are reporting events that are associated with badprocess.exe, you can investigate this process further. For example, perhaps a recent upgrade touched this process and the associated program needs to be tuned, or perhaps anti-virus software settings are not configured correctly.

Models with Events

This chart displays the model of the endpoint that reported an event.





Hover over a slice in the chart to see the exact number of endpoints with that model that reported an event. Click a slice in the chart to load the endpoints represented by that piece of the chart.


View memory events

Click the Memory tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported memory events during the selected time frame. Two charts display that show a summary of the reported events:

Process associated

This chart shows specific processes and the number of memory events that are associated with each of those processes. The process that consumes the highest amount of memory for the duration of the event is reported as the process associated with the event.



Consider an example where you create an event rule in a profile to trigger an event if the available memory is less than 50 MB for longer than 10 minutes. The memory on an endpoint that is targeted by that profile has only 40 MB of free memory for an hour, which generates a performance event. The highest memory consumer during that hour was badprocess2.exe. Because badprocess2.exe was the highest consumer of memory during that event, it is reported as the process that is associated with the event in the chart.

Models with Events

This chart displays the model of the endpoint that reported an event.





Hover over a slice in the chart to see the exact number of endpoints with that model that reported an event. Click a slice in the chart to load the endpoints represented by that piece of the chart.


View disk events

Click the Disk tab in the charts section to display a chart that provides more information about endpoints in the defined computer groups that reported disk events during the selected time frame. One chart displays that shows a summary of the reported events:

Models with Events

This chart displays the model of the endpoint that reported an event.





Hover over a slice in the chart to see the exact number of endpoints with that model that reported an event. Click a slice in the chart to load the endpoints represented by that piece of the chart.




View application crashes

Click the Application Crashes tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported application crashes during the selected time frame. Two charts display that show a summary of the reported events:

Models with Events

This chart displays the model of the endpoint that reported an event.





Hover over a slice in the chart to see the exact number of endpoints with that model that reported an event. Click a slice in the chart to load the endpoints represented by that piece of the chart.




Application Crashes

This chart shows specific processes and the number of crashes that are associated with each of those processes.



Load endpoints

Below any chart, click Load Endpoints with [event type] to display a list of the endpoints that reported that event. Use the Filter Events section to filter the results based on Model, Operating System, or Process Name.

You can also click a bar or a slice in a chart to load the endpoints represented by that piece of the chart.

Customize the results display

Click Customize Columns to add or remove columns from the results table. Possible columns are:

  • Events

    The number of events for the selected chart (All, CPU, Memory, Disk, or Application Crashes) that occurred during the selected Scope.

  • Computer Name
  • IP Address
  • Total Memory
  • Operating System
  • Model
  • Top Processes

    The processes that consume the highest amount of memory or CPU, depending on the chart that is selected, for the duration of the event are reported as the top processes associated with the event.

  • Action

    If you installed Direct Connect, provides a link to connect to the endpoint.

Drag and drop the items in the Customize Columns list to change the order of the columns in the results table. Click a column header to sort the results by that column.

Connect directly to an endpoint

Click Direct Connect to Endpoint in the Action column to connect directly to the endpoint for further troubleshooting.

You must have the Direct Connect solution installed and configured to use this action. For more information, see Connecting directly to endpoints.

View in Tanium Interact

Click View question results in Interact to open the question results in Interact. From there, you can modify the question or drill down in the results to find more details about the endpoints that reported an event.

You might want to use this feature to refine the data that is returned or to schedule an action on the endpoints. For more information about working with the Question Builder, see Tanium Console User Guide: Using the Question Builder. This button is available in the event charts and lists of endpoints on the Events page.