Reference: Advanced Settings

You can manage settings that control Tanium Performance such as configuring process groups.

Configure process groups

By default, Performance aggregates metrics collected for processes with the same name and displays the aggregated metrics. For example, if an endpoint has multiple named BusinessApp processes running, after you establish a direct connection to the computer and viewing historical performance information, only one BusinessApp process displays.

Processes with the same name are aggregated, even if each process runs from a different command line filepath.

Process groups affect the collection and display names of processes, which change how Performance aggregates and displays metrics. Process groups have two primary use cases:

  1. The most common use case is to separate processes which would be grouped together by default, to view separate metrics for each process. This is most useful when troubleshooting specific applications that might run multiple processes with the same name, each of which does different things. For example, Windows runs multiple svchost.exe processes during normal operation. You can display separate metrics for each individual svchost.exe process.

  2. The next most common use case is to group processes with different names when Performance aggregates metrics. The process name displayed is the Replacement text that the user enters. For example, a process named foo and a process named bar can have their metrics combined and shown as a single process named baz. All metrics views and Performance sensors display the name baz for this process group, instead of foo or bar.

The Performance – Application Metric Analysis sensor allows users to graph or report on metrics from multiple processes that might comprise a single application without affecting the underlying data that Performance captures.

A process group is an advanced setting in Performance. For assistance for any process group configuration, contact Tanium Support. To contact Tanium Support for help, sign in to https://support.tanium.com..

  1. From the Performance menu, go to Profiles > Configure Process Groups > Create Process Group.
  2. In the Process Attribute section, select a replacement process name definition:

    • Select Command Line to match a command run at a command prompt.
    • Select Process Name to match a process name.
  3. Enter a Regular Expression to match the command or process. You can enter either a regular expression or a URL to a website that validates regular expressions.

    For example, if the command line for a process is TestProcess.exe --test-cmd, then a matching regular expression is:

    ^.*TestProcess(?:\.exe)?.+--test-cmd.*$

    The following example regular expression validation URL matches the process string TestProcess.exe --test-cmd:

    https://regex101.com/r/wMVNFd/1

  4. Enter Replacement text if the regular expression matches a process or command.
  5. Click Submit.
  6. Update the profile targeting the computer group. For more information, see Modify a profile.
  7. To verify that the process group works, establish a direct connection with a targeted endpoint and view the Live Process Monitor. Add the Process Group Name and Command Line columns to the view. For more information, see Create a direct connection and View the Live Process Monitor.