Analyzing events

An event is reported when a targeted endpoint experiences the conditions that you defined in an event rule in a profile. The Events page displays charts that provide more information about events in your environment.

View the Events page

  1. From the Performance menu, click Events.
  2. Specify the computer group for which you want to see events in the Define Computer Groups parameter.
  3. Select a time period for the displayed events from the Scope menu. Possible options are:
    • 1 hour
    • 4 hours
    • 8 hours
    • 1 day
    • 2 days
    • 1 week
  4. If you made changes to the default values, click Get Results.

The Events page refreshes and displays with the events that match the specified parameters.

The Events page displays only events that occurred on endpoints that are targeted by a profile during the time frame that you specified in the Scope parameter. If an event occurred outside of the selected scope, it is not displayed on this page. If no events occurred during the specified scope, or no profile is configured to monitor for events of that type, the chart displays No data to display.

Targeted Endpoint Status

The Targeted Endpoint Status - Events Occurring Now section displays a high-level overview of the current status of targeted endpoints.

Unlike the rest of the Events page, the Targeted Endpoint Status - Events Occurring Now section displays the current state of endpoints in your environment that are targeted by a profile, not in the time frame that you selected in the Scope parameter.

Total Targeted Endpoints

Displays the total number of endpoints that you are targeting in the computer group that you specified in the Define Computer Groups parameter.

Endpoints with events

Displays the total number of endpoints in the specified computer group that reported an event.

Endpoints without configuration

Displays the total number of endpoints in the specified computer group that do not have the necessary configuration in place for metric collection. They might not be targeted by a profile, or they might be missing the Performance tools.

Endpoints without events

Displays the total number of endpoints in the specified computer group that have not reported any events.

View all events

Click the All tab in the charts section to display charts with all reported events for the defined computer groups during the time frame that you selected in the Scope parameter. Two charts display that show a summary of the reported events:

Event Rule Breakdown

This chart displays the number of endpoints that reported each type of event: Disk, App Crashes, Network, Memory, and CPU. Each bar in the bar chart is color coded to indicate how many events of that type were reported by each endpoint. For example, the beige portion of the bar indicates the number of endpoints that reported 1-4 events. Hover your mouse over the bar to see a breakdown of the number of events per endpoint.








Endpoint Event Breakdown

This chart displays the total number of events by the number of endpoints. Use this chart to quickly identify the endpoints that are having the most problems in the defined computer group.





View CPU events

Click the CPU tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported CPU events during the selected time frame. These charts are designed to help you find patterns and commonalities among the endpoints that are having issues in your environment. Two charts display that show a summary of the reported events:

Process associated

This chart shows specific processes and the number of CPU events that are associated with each of those processes.

The process that consumes the highest amount of CPU for the duration of the event is reported as the process associated with the event. Consider an example where you create an event rule in a profile to trigger an event if the CPU use is above 90% for longer than 10 minutes. The CPU on an endpoint that is targeted by that profile has CPU usage at 95% for an hour, which generates a performance event. The highest process consumer during that hour was badprocess.exe. Because badprocess.exe was the highest CPU consumer during that event, it is reported as the process that is associated with the event in the chart. If several endpoints are reporting events that are associated with badprocess.exe, you can investigate this process further. For example, perhaps a recent upgrade touched this process and the associated program needs to be tuned, or perhaps anti-virus software settings are not configured correctly.

Models with Events

This chart displays the model of the endpoint that reported an event. Hover over a slice in the pie chart to see the exact number of endpoints with that model that reported an event.

View memory events

Click the Memory tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported memory events during the selected time frame. Two charts display that show a summary of the reported events:

Process associated

This chart shows specific processes and the number of memory events that are associated with each of those processes.

The process that consumes the highest amount of memory for the duration of the event is reported as the process associated with the event. Consider an example where you create an event rule in a profile to trigger an event if the available memory is less than 50 MB for longer than 10 minutes. The memory on an endpoint that is targeted by that profile has only 40 MB of free memory for an hour, which generates a performance event. The highest memory consumer during that hour was badprocess2.exe. Because badprocess2.exe was the highest consumer of memory during that event, it is reported as the process that is associated with the event in the chart.

Models with Events

This chart displays the model of the endpoint that reported an event. Hover over a slice in the pie chart to see the exact number of endpoints with that model that reported an event.

View disk events

Click the Disk tab in the charts section to display a chart that provides more information about endpoints in the defined computer groups that reported disk events during the selected time frame. One chart displays that shows a summary of the reported events:

Models with Events

This chart displays the model of the endpoint that reported an event. Hover over a slice in the pie chart to see the exact number of endpoints with that model that reported an event.

View application crashes

Click the Application Crashes tab in the charts section to display charts that provide more information about endpoints in the defined computer groups that reported application crashes during the selected time frame. Two charts display that show a summary of the reported events:

Models with Events

This chart displays the model of the endpoint that reported an event. Hover over a slice in the pie chart to see the exact number of endpoints with that model that reported an event.

Application Crashes

This chart shows specific processes and the number of crashes that are associated with each of those processes.

Load endpoints

Below any chart, click Load Endpoints with [event type] to display a list of the endpoints that reported that event. Use the Filter Events section to filter the results based on Model or Operating System.

Customize the results display

Click Customize Columns to add or remove columns from the results table. Possible columns are:

  • Events (The number of events for the selected chart, All, CPU, Memory, Disk, or Application Crashes, that occurred during the selected Scope)
  • Computer Name
  • IP Address
  • Total Memory
  • Operating System
  • Model
  • Top Processes (The processes that consume the highest amount of memory or CPU, depending on the chart that is selected, for the duration of the event are reported as the top processes associated with the event)
  • Action (If you installed Direct Connect, provides a link to connect to the endpoint)
Drag and drop the items in the Displayed Columns list to change the order of the columns in the results table. Click a column header to sort the results by that column.

Connect directly to an endpoint

Click Connect to hostname in the Action column to connect directly to the endpoint for further troubleshooting.

You must have the Direct Connect solution installed and configured to use this action. For more information, see Connecting directly to endpoints.

View in Tanium Interact

Click View question results in Interact to open a question in the Taniumâ„¢ Interact Question Builder that returns the results that were displayed in the chart or list where you clicked the button.

You might want to use this feature to refine the data that is returned or to schedule an action on the endpoints. For more information about working with the Question Builder, see Tanium Console User Guide: Using the Question Builder. This button is available in the event charts and lists of endpoints on the Events page.

Last updated: 9/4/2019 9:07 AM | Feedback