Tanium 6.x: Historical Data and Data Visualization

The previous dashboard’s High CPU Consumption question is archived. This is immediately apparent because the box for the saved question has data three charms on the left side to indicate different ways to visualize the data, and it has a Zoom line in the Answers Grid view. The Zoom line allows an operator to get information within date ranges.

Zoom.png

Choosing ‘current’ will show you the freshest results available. Choosing “recent” will show you the most recent report for any response, including those from machines currently offline. To the left of “recent” is a list of self-explanatory Zoom levels. Here is a 12 hour view of High CPU consumption:
12h_cpu_consumption.png
 

A zoom besides “current” or “recent” will provide some analysis in the grid view. In the last 12 hours for the question above, at least 134 machines and at most 477 machines were under the threshold each time the question is reissued. The average number of machines that were under the threshold in the last hour was 300. And in the last 12 hours, each time the question was reissued, 100% of all machines reporting in – at some point – said their CPU is under threshold. Similarly, 18.5% of the time, for each time the question was issued in the last 12 hours, 1 machine responding to the question answered 91 percent. Do not be confused, as the distribution need not add up to 100% for all values. There is a Pie Chart view available. This is a pie chart view for DAT file age.

Dat_file_pie.png

 

Pie Charts are a quick way to visualize data. Hovering the mouse over the slice will pop it out and provide details. The Chart view of a saved question will visually show distribution over time. Here is the same 12 hour view of the High CPU Usage question in Chart format. Upon first glance, based on the name of the saved question, one might assume there was a big spike in CPU usage.

12h_chart_cpu_consumption.png

However, upon closer inspection, the machines are mostly reporting back that they are under threshold. The spike has to do with the number of machines reporting in in the last 12 hours. It looks like between 7 and 10 in the morning, machines are powered on for the day. There are two options in the upper right – “filter” and “settings” – which can be used to eliminate noise values and change display options.

Chart_filter.png

 

After eliminating Under Threshold, the chart looks very different.

Filtered_stack_chart.png
 

This is a stack of counts reporting in different CPU percentages. From here, because the filter has eliminated “Under Threshold”, it is easy to see the counts of machines that have CPU over that threshold. At 12:16, 15 machines reported that they had high CPU. If there was another saved question that was archiving computer name and running processes, an operator could get answers about what was going on specifically, per machine. Data Visualization is not limited to saved questions. Graphing requires historical data, but Pie Charting does not. Even a question asked in the Question Bar can be Pie Charted if there is a single column returned. That includes Drill Downs, as well, which can also be visualized in a Pie Chart right off the Answers Grid.

Have more questions? Submit a request