Analyzing events

A targeted endpoint reports an event after experiencing the conditions that you defined in an event rule in a profile. The Events page provides charts that provide more information about events in your environment.

View the Events page

  1. From the Performance menu, select Events.
  2. Specify the computer group for which you want to see events in the Define Computer Groups field.
  3. Select a time period for the events from the Scope menu. The default option is Past Day.
  4. If you change the default values, click Get Results.

The Events page shows only events that occurred on endpoints targeted by a profile during the specified Scope. If no events occurred during the specified scope, or no profile is configured to monitor for events of that type, the chart for that event type shows No data to display.

Targeted Endpoint Status

The Targets section shows a high-level overview of the current configuration status of targeted endpoints:


Total Endpoints Targeted

The total number of endpoints that are currently targeted by a profile.

Configured

The total number of endpoints that have the necessary configuration in place for metric collection. They are targeted by a profile and the Performance tools are installed.

Not Configured

The total number of endpoints that do not have the necessary configuration in place for metric collection. They might not be targeted by a profile, or they might be missing the Performance tools.

Click View question results in Interact in this section to open the question results in Tanium™ Interact. From there, you can drill down into the results to determine which specific endpoints are missing the required configuration or profile.

View all events

Click the All tab in the charts section to show a chart with all reported events for the defined computer groups during the time frame that you selected in the Scope parameter. One chart shows a summary of the reported events:

Event Rule Breakdown

The number of endpoints that reported each type of event: CPU, Memory, Disk Capacity, Disk Latency, Application Crashes, and System Crashes. Each bar in the bar chart is color coded to indicate how many events of that type were reported by each endpoint. For example, the light blue portion of the bar indicates the number of endpoints that reported 1-4 events. Hover your mouse over the bar to see a breakdown of the number of events per endpoint. Click a bar in the chart to load the endpoints represented by that piece of the chart.

View CPU events

Click the CPU tab in the charts section to show charts that provide more information about endpoints in the defined computer groups that reported CPU events during the selected time frame. These charts are designed to help you find patterns and commonalities among the endpoints that are having issues in your environment. Two charts show a summary of the reported events:

Top 10 Processes by Event Count

This chart shows the top ten processes with the highest number of CPU events and the number of CPU events that are associated with each of those processes. The process that consumes the highest amount of CPU for the duration of the event is reported as the process associated with the event.

Consider an example where you create an event rule in a profile to trigger an event if the CPU use is above 90% for longer than 10 minutes. The CPU on an endpoint that is targeted by that profile has CPU usage at 95% for an hour, which generates a performance event. The highest process consumer during that hour was badprocess.exe. Because badprocess.exe was the highest CPU consumer during that event, it is reported as the process that is associated with the event in the chart. If several endpoints are reporting events that are associated with badprocess.exe, you can investigate this process further. For example, perhaps a recent upgrade touched this process and the associated program needs to be tuned, or perhaps anti-virus software settings are not configured correctly.

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported CPU events and the number of endpoints with that model that reported a CPU event. An endpoint is counted only once in the charts, even if that endpoint reported more than one CPU event.

If you want to see the full list of models that reported a CPU event, click View question results in Interact or Load Endpoints With CPU Events. From there, you see a list of all endpoints that reported a CPU event and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported an event. Click a bar in the chart to load the endpoints represented by that bar in the chart.

View memory events

Click the Memory tab in the charts section to show charts that provide more information about endpoints in the defined computer groups that reported memory events during the selected time frame. Two charts show a summary of the reported events:

Top 10 Processes by Event Count

This chart shows the top ten processes with the highest number of memory events and the number of memory events that are associated with each of those processes. The process that consumes the highest amount of memory for the duration of the event is reported as the process associated with the event.

Consider an example where you create an event rule in a profile to trigger an event if the available memory is less than 50 MB for longer than 10 minutes. The memory on an endpoint that is targeted by that profile has only 40 MB of free memory for an hour, which generates a performance event. The highest memory consumer during that hour was badprocess2.exe. Because badprocess2.exe was the highest consumer of memory during that event, it is reported as the process that is associated with the event in the chart.

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported memory events and the number of endpoints with that model that reported a memory event. An endpoint is counted only once in the charts, even if that endpoint reported more than one memory event.

If you want to see the full list of models that reported a memory event, click View question results in Interact or Load Endpoints With Memory Events. From there, you see a list of all endpoints that reported a memory event and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported an event. Click a bar in the chart to load the endpoints represented by that piece of the chart.

View disk capacity events

Click the Disk Capacity tab in the charts section to show a chart that provides more information about endpoints in the defined computer groups that reported disk capacity events during the selected time frame. One chart shows a summary of the reported events:

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported disk capacity events and the number of endpoints with that model that reported a disk capacity event. An endpoint is counted only once in the charts, even if that endpoint reported more than one disk capacity event.

If you want to see the full list of models that reported a disk capacity event, click View question results in Interact or Load Endpoints With Disk Capacity Events. From there, you see a list of all endpoints that reported a disk capacity event and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported a disk capacity event. Click a bar in the chart to load the endpoints represented by that bar in the chart.

View disk latency events

Click the Disk Latency tab in the charts section to show a chart that provides more information about endpoints in the defined computer groups that reported disk latency events during the selected time frame. One chart shows a summary of the reported events:

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported disk latency events and the number of endpoints with that model that reported a disk latency event. An endpoint is counted only once in the charts, even if that endpoint reported more than one disk latency event.

If you want to see the full list of models that reported a disk latency event, click View question results in Interact or Load Endpoints With Disk Latency Events. From there, you see a list of all endpoints that reported a disk latency event and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported a disk latency event. Click a bar in the chart to load the endpoints represented by that bar in the chart.

Input/output operations per second (IOPs)

IOPs is an industry measurement of the hardware throughput of a disk or a collection of disks. For example, a typical laptop with a 5400 RPM disk drive can deliver 80 IOPs. Assuming moderate levels of fragmentation, 80 IOPs equals about 50 MB of sustained disk performance.

An average response time longer than 15 ms is considered slow, and the response time becomes logarithmically slower as latency increases.



Typical IOPs by disk type
Storage Max IOPs/MBps Access Time
USB floppy drive 10 IOPs/0.25 MBps 500 ms
5400 RPM hard disk 80 IOPs/50 MBps 15 ms
7200 RPM hard disk 100 IOPS/80 MBps 10 ms
15K RPM hard disk 200 IOPs/125 MBps 2.5 ms
SATA 6 based SSD 1000-5000 IOPs/500 MBps .02 ms or 200 us
NMVe M.2 >= 80,000 IOPs/2-4 GBps <= .0020 ms or 20 us

View application crashes

Click the Application Crashes tab in the charts section to show charts that provide more information about endpoints in the defined computer groups that reported application crashes during the selected time frame. Two charts show a summary of the reported events:

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported application crashes and the number of endpoints with that model that reported an application crash.

If you want to see the full list of models that reported an application crash, click View question results in Interact or Load Endpoints With Application Crashes. From there, you see a list of all endpoints that reported an application crash and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported an application crash. Click a bar in the chart to load the endpoints represented by that bar in the chart.

Top 10 Application Crashes

This chart shows the top ten processes that caused a crash and the number of crashes that occurred due to each of those processes.


View system crashes

Click the System Crashes tab in the charts section to show charts that provide more information about endpoints in the defined computer groups that reported system crashes during the selected time frame. Two charts show a summary of the reported events:

Top 10 Models with Events

This chart shows the top ten models with the highest number of reported system crashes and the number of endpoints with that model that reported a system crash.

If you want to see the full list of models that reported a system crash, click View question results in Interact or Load Endpoints With System Crashes. From there, you see a list of all endpoints that reported a system crash and filter by model.

Hover over a bar in the chart to see the exact number of endpoints with that model that reported a system crash. Click a bar in the chart to load the endpoints represented by that bar in the chart.

Top 10 Bug Check Codes

This chart shows the top ten bug check error codes that caused a system crash and the number of crashes that are due to each of those error codes. For more information about these bug check codes, see Microsoft: Bug Check Code Reference.

View endpoints with events

The results grid below the charts shows a list of the endpoints that reported that event type. Use the Filter Events section to filter the results based on Model, Operating System, Process Name, or Bug Checks. The available filters vary based on the selected chart.

You can also click a bar in a chart to filter the results to the endpoints represented by that piece of the chart.

Customize the results

Click Customize Columns to add or remove columns from the results table. Possible columns are:

  • Computer Name
  • IP Address
  • Events

    The number of events for the selected chart (All, CPU, Memory, Disk Capacity, Disk Latency, Application Crashes, or System Crashes) that occurred during the selected Scope.

  • BitnessArchitecture (available only for All and CPU)
  • Is Virtual (available only for All and CPU)
  • Total Memory (available only for Memory)
  • Platform
  • Model
  • Performance Score
  • Top Processes (available only for CPU and Memory)

    The processes that consume the highest amount of memory or CPU, depending on the chart that is selected, for the duration of the event are reported as the top processes associated with the event.

  • Processes (available only for Application Crashes)

    The process associated with the crash.

  • Action

    If you installed Direct Connect, provides a link to connect to the endpoint.

Drag and drop the items in the Customize Columns list to change the order of the columns in the results table. Click a column header to sort the results by that column.

Connect directly to an endpoint

Click Direct Connect to Endpoint in the Action column to connect directly to the endpoint for further troubleshooting.

You must have the Direct Connect solution installed and configured to use this action. For more information, see Connecting directly to endpoints.

View in Tanium Interact

Click View question results in Interact to open the question results in Interact. From there, you can modify the question or drill down in the results to find more details about the endpoints that reported an event.

You might want to use this feature to refine the data that is returned or to schedule an action on the endpoints. For more information about working with the Question Builder, see Tanium Console User Guide: Using the Question Builder. This button is available in the event charts and lists of endpoints on the Events page.