Example: Multi-column sensors

Multi-column sensors collect multiple pieces of related data in a single answer from each Tanium Client. They are useful Create multi-column sensors for data that you want the Question Results page to display as a single record. For example, Registry Key Value Names with Data is an example of a Tanium-provided multi-column sensor. For the registry key that you specify, the sensor returns the User (if the key is associated with a user hive), Key Path, Value, Data, data Type, and OS Architecture type.

Figure  1:  Results from a multi-column sensor (click image to enlarge)

Sensor script

When you create a sensor (see Create a sensor), its script must add a delimiter between each property as it writes to the standard output channel. The delimiter in the script must match the delimiter in the Use delimiter field of the sensor configuration. In the following example, the delimiter is the pipe | character.

Figure  2:  Multi-column delimiters in sensor script (click image to enlarge)

Sensor settings

For multi-column sensors, when you configure sensor settings, select Split into multiple columns, specify a string separator (a pipe | is common), and use the controls to specify the columns. Note that when creating questions that filter multi-column sensors, single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as "|"), not multiple characters (such as "|:").

Figure  3:  Multi-column result settings