Working with sources

A source is a configuration that defines where data originates. In Trends, sources provide data to build charts. There are two types of sources:

Module source

A module source is a configuration that defines data that a Tanium module provides to Trends. Data can include metrics or events. Module sources are read-only, and only Trends administrators can view data from module sources. Modules sources are created when you import a Tanium module.

Saved question source

A saved question source is a configuration that defines a Trends saved question, how often to issue the question, and when to collect results from the endpoints. Every source issues its saved question to all computer groups visible to Trends.

A Trends saved question can ask for results from only one sensor. The sensor can be a single column sensor, a multicolumn sensor, or a parameterized sensor.

For each saved question source, you can configure how often to issue the saved question and how often to collect the data. By default, the saved question is issued every five hours and data is collected every 24 hours. The frequency is designed to get responses from endpoints that may be offline sometimes during a one day period but are online at one of the times the saved question is issued.

When you create a saved question source, Trends creates a saved question that is named after the source. Trends prepends the string Trends. For example, if the name of the source is Chassis Type, the name of the saved question is Trends Chassis Type. With this convention, you can easily filter for Trends questions in the saved questions and question history tables in the Tanium™ Console.

Do not modify a Trends saved question. Trends manages all saved questions that are used by sources and will revert back to the original version. Instead of modifying a saved question, either edit the source or create a new source.

Create a saved question source

  1. From the Trends Menu, click Sources.
  2. Click New Source.
  3. Provide a name and description for the source.
  4. (Optional) In the Source Intervals section, change how often to issue the question and how often to collect results.
  5. In the Select Data section, use the Question Builder to configure the saved question settings. When you click Apply, Trends issues the question to the endpoints and a displays a preview of the results.

    Trends stores results as counts of the answers returned when sensors run on the Tanium™ Client. Make sure the saved question uses a sensor that returns stackable counts. For example, Get Tanium Client IP Address from all machines returns IP addresses, which are unique; these results cannot be stacked and do not display well in a chart.

  6. Click Create.

The saved question source is created in addition to a saved question. Trends immediately issues the saved question to Tanium Clients. Within a few seconds, Trends begins to collect the initial results. Full results are available after ten minutes. Trends then issues the saved question according to the frequency that you select.

View source details

The Sources page contains tabs for saved question sources and module sources. Each source contains an overall status:

Status Description
The source is running or the last run completed successfully.
The source is waiting to determine the endpoints in the computer groups visible to Trends, or the source is waiting to run due to maximum source runs in progress.
The source is disabled.
The most recent source run failed to complete.

From the Sources page, click a source to view details of the source.

Details for a module source include the panels, if any, that use the source.

Details for a saved question source include the run schedule, run logs, the associated Trends saved question, and the panels, if any, that use the source. The run schedule contains a 24 hour view of all runs for the saved question source.

  • Successful runs display as .
  • Future runs display as .
  • Failed runs display as .

Edit a saved question source

You can edit the name, description, and intervals of a saved question source. To keep data in panels from becoming askew, you must create another saved question source if you want to modify the saved question.

  1. From the Trends Menu, click Sources.
  2. From the Saved Question Sources tab, select the checkbox next to the source that you want to edit and click Edit.
  3. Edit the fields that you want to change.
  4. Click Save.

Collect results for a saved question source

Trends automatically collects results for a saved question source according to the schedule that you set when you create the source. In addition to the automatic collection schedule, you can manually issue the saved question and collect results.

  1. From the Trends Menu, click Sources.
  2. From the Saved Question Sources tab, click the source to open the Source Details page.
  3. Click Run Now.
    If Trends is already collecting results for the source, Run Now is disabled.
  4. (Optional) Click the Runs tab to view the status or results for the run.

Trends issues the saved question and begins to collect the latest results within a few seconds. Full results are available after ten minutes.

Disable a source

You can disable both saved question sources and module sources.

If you disable a saved question source, the associated saved question continues to be issued, but Trends does not collect results. You can still select the source when you create or edit a panel, but Trends does not collect data until you enable the source.

To disable a source, select the checkbox next to an enabled source on the Sources page and click Disable.

To enable a source, select the checkbox next to a disabled source on the Sources page and click Enable.

Delete a saved question source

If you delete a saved question source, any previously collected data is deleted, and any panels that use the source are deleted.

To delete a saved question source, select the checkbox next to the source on the Sources page and click Delete .

Last updated: 11/13/2018 2:28 PM | Feedback