Working with sources

A source is a configuration that defines where data originates. In Trends, sources provide data to build charts. There are two types of sources:

Module source

A module source is a configuration that defines data that a Tanium module provides to Trends. Data can include metrics, such as counts of events. Module sources are read-only, and access is set by access permissions to the corresponding module. Modules sources are created when you import a Tanium module.

Saved question source

A saved question source is a configuration that defines a Trends saved question, how often to issue the question, and when to collect results from the endpoints. Every source issues its saved question to all computer groups visible to Trends.

A Trends saved question can ask for results from only one sensor. The sensor can be a single column sensor, a multicolumn sensor, or a parameterized sensor.

When you create a saved question source, Trends creates a saved question that is named after the source. Trends prepends the string Trends. For example, if the name of the source is Chassis Type, the name of the saved question is Trends Chassis Type. With this convention, you can easily filter for Trends questions in the saved questions and question history tables in the Tanium™ Console.

Create a saved question source

  1. From the Trends menu, click Sources.
  2. Click Create Source.
  3. In the Source Details section, provide a name for the source.

    Source names must be unique. This includes sources that you might not have access to view. For more information, see Unable to view or select content.

  4. (Optional) Enter a description and assign a content set to the source.
    • By default, Trends assigns sources to the Trends content set.
    • A source is available only to users with permission to the content set.
    • Only content sets for which you have permission to create new sources appear as options.
  5. In the Source Intervals section, specify how often to reissue the question and how often to collect results.
    • When a question is issued, Tanium collects results from online endpoints and stores them on the Tanium Server. Specify a Question Reissue frequency that maximizes the number of endpoints from which to collect data.

      Trends provides a suggested reissue time around 300 minutes, or five hours. This frequency is designed to get responses from endpoints that may be offline sometimes during a one day period but are online at one of the times the saved question is issued. For more information, see Reference: Trends data collection for saved question sources.

    • For the Schedule Type, specify how often the source should run. A source run collects results from the Tanium Server. When Trends collects results, the question is issued one more time to get the latest results. After the results are collected, any panels that use the source update with the latest data.
  6. In the Select Data section, use the Question Builder controls to configure the saved question settings. When you click Apply, Trends issues the question to the endpoints and displays a preview of the results. For more information on the Question Builder, see Tanium Console User Guide: Asking questions.

    Trends stores results as counts of the answers returned when sensors run on the Tanium™ Client. Make sure the saved question uses a sensor that returns stackable counts. For example, Get Tanium Client IP Address from all machines returns IP addresses, which are unique; these results cannot be stacked and do not display well in a chart.

  7. Click Create.

The saved question source is created in addition to a saved question. Trends immediately issues the saved question to Tanium Clients. Within a few seconds, Trends begins to collect the initial results. Full results are available after ten minutes. Trends issues the saved question according to the frequency that you select.

View source details

The Sources page contains data collection metrics in addition to two tabs:

  • The User Defined tab contains any sources that you create or import.
  • The Managed tab contains sources provided by Tanium, including sources from other Tanium modules. Sources on the Managed tab are read-only, but can be disabled to stop data collection.

Each source contains basic information and a status icon. To view basic information, click Expand next to a source to expand the row.

Status icons include the following:

Status Description
The last source run completed successfully.
The source is running.
The source run is initializing.
The source is queued and waiting to run. This status appears when Trends is still collecting computer group membership, or when Trends reaches the limit on concurrent source runs.
The source is disabled.
The most recent source run failed to complete.

From the Sources page, click a source to view details of the source.

Details for a module source include the panels, if any, that use the source.

Details for a saved question source include metrics, the run schedule, run logs, the associated Trends saved question, and any panels that use the source. The run schedule contains a 24 hour view of all runs for the saved question source.

  • Successful runs display as .
  • Future runs display as .
  • Failed runs display as .

Edit a saved question source

Use caution when you edit the syntax of the saved question in a source. If you edit the syntax but do not remove any columns, any cached endpoint data is lost and panels that use the source may require several runs to collect responses from all endpoints. If you remove columns when you edit the saved question, previously collected data may be unavailable.

  1. From the Trends menu, click Sources.
  2. From the User Defined tab, select the checkbox next to the source that you want to edit and click Edit.
  3. Edit the fields that you want to change.
  4. Click Save.

Collect results for a source

Trends automatically collects results for a saved question source according to the schedule that you set when you create the source. In addition to the automatic collection schedule, you can manually collect results for saved question sources and some module sources.

  1. From the Trends menu, click Sources.
  2. Click the source to view source details.
  3. Click Run Now.
    If Trends is already collecting results for the source, Run Now is disabled. If the Run Now option does not display, the source does not support manual collection.
  4. (Optional) Click the Runs tab to view the status or results for the run.

For saved question sources, Trends issues the saved question and begins to collect the latest results within a few seconds. Full results are available after ten minutes, and any panels that use the source update with the latest data.

Disable a source

You can disable both saved question sources and module sources. If you disable a saved question source, the associated saved question continues to be issued, but Trends does not collect results. You can still select the source when you create or edit a panel, but Trends does not collect data until you enable the source.

  • To disable a source, select the checkbox next to an enabled source on the Sources page and click Disable.
  • To enable a source, select the checkbox next to a disabled source on the Sources page and click Enable.

Delete a source

You can delete sources that appear in the User Defined tab on the Sources page. If you delete a saved question source, any previously collected data is deleted, and any panels that use the source are deleted.

  • To delete a source, select the checkbox next to the source on the User Defined tab of the Sources page and click Delete .