Reference: Manage sensor string growth

You can mitigate the impact that question results have on Tanium Server memory and disk usage by setting a maximum age for the answer strings that the server stores for individual sensors.

The Tanium Server stores strings in the <Tanium Server installation folder>/strings folder and loads the strings into memory (the string cache) when it uses them. To prevent string growth from consuming too much space, the server clears a portion of the strings for all sensors when the total strings exceed a default threshold. However, the default string-cleaning settings do not distinguish among sensors in terms of how likely they are to generate strings that are unique and that are used only once. This matters because unique strings consume more space and clearing single-use strings has less impact on server processing and traffic (the Tanium Server does not have to reissue questions to regenerate the strings for future use). For example, the Detect Primary Alerts sensor often generates many unique, single-use strings. To account for these factors, you can configure string cleaning for individual sensors based on a Max String Age. The server bases string ages on when it last used the strings or received them from Tanium Clients and discards strings that exceed the maximum.

The following procedure describes how to determine which sensors are producing the most string growth and to set the Max String Age for those sensors. For most sensors that require a limit, use the default maximum of seven days as a best practice. Setting a lower maximum is required only in rare cases, such as for sensors that produce results containing date or time stamps. The best practice is to avoid including date and time stamps in string results when writing a sensor, because they tend to result in unusually large string growth. However, if such sensors are necessary, you can set the maximum as low as one day for sensors that use date stamps and as low as six hours for sensors that use time stamps. Contact Tanium Support if you are considering setting the Max String Age to lower than six hours; only exceptional cases require such limits.

Before you begin

Install Tanium™ Health Check if it is not already installed. For details, see Tanium Health Check User Guide: Installing Health Check.

Configure age-based string cleaning

Determine which sensors produce the most string growth

Use the Health Check module to determine which sensors produce the most string growth.

To view string counts for each sensor in the Tanium Console, go to the Main menu, select Administration > Content > Sensors, and display the String Count column, which is hidden by default.

1. From the Main menu, select Shared Services > Health Check.
2. Under Manual Report Generation, click Run TPAN Report Now.
3. Under Reports click the HTML link for the Full Report that you just ran.
4. At the top of the report, select Environmental Details > String Details.
5. Review the grids that list the top sensors by string count and memory usage to determine which sensors produce the most string growth.

Set the maximum string age

1. From the Main menu, select Administration > Content > Sensors.

   Perform the remaining steps for each sensor that you determine requires a string age limit.

2. Select the sensor and click Edit.
3. Enable and set the Max String Age (default is seven days), and then click Save.

   For almost all sensors, setting the Max String Age reduces string growth to a manageable level and setting the Max Strings (string count limit) is unnecessary. Contact Tanium Support before setting the Max Strings in extreme cases that might require a string count limit for individual sensors.

4. Over the next two days, repeat the steps to run a TPAN report and verify that string counts and memory usage are reduced as expected for the sensors that have string limits. If necessary, set a lower Max String Age for sensors that still produce too much string growth.