Working with sources

A source is a configuration that defines a Trends saved question, how often to issue the question to the endpoints, and when to store results.

A Trends saved question can ask for results from only one sensor. The sensor can be a single column sensor, a multicolumn sensor, or a parameterized sensor.

For each source, you can configure how often to issue the saved question and how often to collect the data. By default, the saved question is issued every five hours and data is collected every 24 hours. The frequency is designed to get responses from endpoints that may be offline sometimes during a one day period but are online at one of the times the saved question is issued.

When you create a source, Trends creates a saved question that is named after the source. Trends prepends the string Trends. For example, if the name of the source is Chassis Type, the name of the saved question is Trends Chassis Type. With this convention, you can easily filter for Trends questions in the saved questions and question history tables in the Tanium™ Console.

Do not modify a Trends saved question. Trends manages all saved questions that are used by sources and will revert back to the original version. Instead of modifying a saved question, either edit the source or create a new source.

Create a source

  1. From the Trends Menu, click Sources.
  2. Click New Source.
  3. Provide a name and description for the source.
  4. (Optional) In the Source Intervals section, change how often to issue the question and how often to collect results.
  5. In the Select Data section, use the Question Builder to configure the saved question settings. When you click Apply, Trends issues the question to the endpoints and a displays a preview of the results.

    Trends stores results as counts of the answers returned when sensors run on the Tanium™ Client. Make sure the saved question uses a sensor that returns stackable counts. For example, Get Tanium Client IP Address from all machines returns IP addresses, which are unique; these results cannot be stacked and do not display well in a chart.

  6. Click Create.

The source is created in addition to a saved question. Trends immediately issues the saved question to Tanium Clients. Within a few seconds, Trends begins to collect the initial results. Full results are available after ten minutes. Trends then issues the saved question according to the frequency that you select.

View source details

Each source on the Sources page contains an overall status of the source:

Status Description
The source is running or the last run completed successfully.
The source is waiting to determine the endpoints in the computer groups visible to Trends, or the source is waiting to run due to maximum source runs in progress.
The source is disabled.
The most recent source run failed to complete.

From the Sources page, click a source to view details of the source.

Source details include the run schedule, run logs, the associated Trends saved question, and which panels, if any, use the source.

The run schedule contains a 24 hour view of all runs for that source.

  • Successful runs display as .
  • Future runs display as .
  • Failed runs display as .

Edit a source

You can edit the name, description, and intervals of a source. To keep data in panels from becoming askew, you must create another source if you want to modify the saved question.

  1. From the Trends Menu, click Sources.
  2. Select the checkbox next to the source that you want to edit and click Edit.
  3. Edit the fields that you want to change.
  4. Click Save.

Collect results for a source

Trends automatically collects results for a source according to the schedule that you set when you create the source. In addition to the automatic collection schedule, you can manually issue the saved question and collect results.

  1. From the Trends Menu, click Sources.
  2. Click the source that you want to export.
  3. Click Run Now.
    If Trends is already collecting results for the source, Run Now is disabled.
  4. (Optional) Click the Runs tab to view the status or results for the run.

Trends issues the saved question and begins to collect the latest results within a few seconds. Full results are available after ten minutes.

Disable a source

If you disable a source, the associated saved question continues to be issued, but Trends does not collect results. You can still select the source when you create or edit a panel, but Trends does not collect data until you enable the source.

To disable a source, select the checkbox next to an enabled source on the Sources page and click Disable.

To enable a source, select the checkbox next to a disabled source on the Sources page and click Enable.

Delete a source

If you delete a source, any previously collected data is deleted, and any panels that use the source are deleted.

To delete a source, select the checkbox next to the source on the Sources page and click Delete .

Last updated: 9/14/2018 1:05 PM | Feedback