Here's a related follow up from Friday's Basic Tips on Asking Questions article. In some cases you may run into "[no results]" when you're first ramping up on how to use Tanium. In most cases, asking a Question with "[no results]" is perfectly harmless, but a lot of seasoned Tanium users will proclaim that its less elegant. Regardless, here's why it happens and how to avoid it (if you want to).
What is [no results]?
"[no results]" occurs when a Tanium Client evaluates a Question, decides it needs to produce a result, but has no result to send back.
There are a couple of common ways that the Tanium Client can get into this situation.
1. Your Sensor Scripts Need Work
This one is fairly straightforward -- your scripting needs to be more complete. If a Tanium Client is executing your script and it gets into a path where there is no actual stdout output, then you're going to hit "[no results]". Or, if you create a Sensor and assume it will only be run on Windows, but it gets run on Linux, then you're going to hit "[no results]".
How to Avoid
First, make sure that you've got OS coverage -- make sure you've got a Sensor script for each operating system in your Tanium environment. Second, make sure each script is assured to have at least some stdout output. Even if you have to put something like "N/A on Solaris", thats still better than having to see "[no results]".
2. Your Question Authoring Needs Attention
If you've learned to tackle the first source of "[no results]", then you'll likely be able to avoid a lot of the problem. But if you're still seeing it, its likely due to how you are asking Questions. To explain how this happens, first remember that the second half of the Question instructs a Tanium Client to answer or not answer a Question (see the Tips article from Friday to understand). And, remember that if you add a filter to a Sensor in the first half of the Question, you are potentially eliminating results. If you have a filter that eliminates them all for a computer, then you will hit "[no results]".
Take this example where I want to find all machines that have an IP address ending with .1:
In this case, I incorrectly used "from all machines". Not only did I get the values I wanted (10.8.103.1 and 10.8.108.1), but I also got "[no results]" back from the other 1140 machines that have no IPs that match that. There's a hidden inefficiency since those 1140 machines had to evaluate the IP Address Sensor. In this case, the Sensor used is pretty cheap, but if you were using an expensive Sensor, look out!
The more appropriate way to do it isn't obvious, but you get used to it.
How to Avoid
In order to avoid these kinds of "[no results]", you have to ask a slightly more complicated Question. If you remember, I failed when I specified "from all machines". Instead of doing that, what I should have done was:
As you can see above, by using the added Question filter at the end to ensure that the two machines I'm looking for are the only two to answer. Also, you might be wondering why I left the first filter in the first half of the Question. In some cases, you don't need it. But since the IP Address Sensor is plural (i.e., it tends to produce multiple results). If you took it out, you would be getting back ALL IP addresses (which we don't want) from machines that have the IPs that we are looking for.
Questions? Comments? Either contact us or comment below.