NQL data model
Data model concepts
Consult the Understanding key data platform concepts page for more information about the various data model concepts.
Data model
Table | Description |
|---|---|
devices | Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector. |
device.antiviruses | The list of antivirus registered on the device and reported through WMI. |
device.cpus | The list of CPU model names and their nominal clock speeds. |
device.disks | The list of storage devices. |
device.firewalls | The list of firewalls registered on the device and exposed through the Windows Security Center. |
device.gpus | The graphics processing unit. |
device.local_admins | The list of users and groups that are members of the local Administrators group on the device. |
device.monitors | The list of monitors connected to the device. |
device.volumes | The list of logical storage volumes. |
binaries | Table of binaries. A binary is an executable binary file identified by its hash code. |
users | Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user. |
alert.monitors | The table of defined alert monitors in the system. |
alerts | The table collecting information about instances where metric values go outside normal parameters as defined in monitors. |
alert.impacts | The table collecting information about instances of an alert impact. |
applications | Table of defined applications. |
application.network_applications | Table of defined network applications. |
application.pages | Table of defined key pages. |
application.transactions | Table of defined transactions. |
campaigns | The table collecting all active and retired campaigns. |
campaign.responses | The table collecting responses (expected or given) of a campaign by an employee. |
collaboration.sessions | Table collecting meetings performed with collaboration tools such as Teams or Zoom. |
connection.events | The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional). |
connection.tcp_events | The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead. |
connection.udp_events | The connections.udp_events table has been deprecated. Please use 'connection.events' table instead. |
connectivity.events | Table collecting performance metrics and attributes specific to a device's connectivity. |
device_performance.boots | The table collecting boots of devices. |
device_performance.events | The table collecting performance metrics and attributes specific to a device. |
device_performance.hard_resets | The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages. |
device_performance.system_crashes | The table collecting the system crashes of the devices. |
dex.application_scores | application_score |
dex.scores | A table of the DEX score. |
execution.crashes | The table collecting crashes of a running process. |
execution.events | The table collecting performance metrics and attributes specific to a process execution. |
packages | A table of packages. A package is a group of files and executables that together constitute a software application. |
package.installations | A table of package installation events. |
package.uninstallations | A table of package uninstallation events. |
package.installed_packages | A table of all installed packages on all devices. |
remote_actions | The table of defined remote actions. |
remote_action.executions | The table collecting the executed remote actions. |
remote_action.executions_summary | The table collecting the trend of executed remote actions. |
services | A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction |
service.changes | Timeline of events when an attribute of an existing service has changed on a device. |
service.installations | Punctual event, indicating when an service was added or removed to a particular device. |
service.installed_services | A table of all installed services on all devices. |
session.connects | The table collecting connections linked to user sessions. |
session.disconnects | The table collecting disconnections linked to user sessions. |
session.events | The table collecting performance metrics and attributes specific to both local and remote sessions. |
session.lifecycle_events | The table collecting all events linked to user sessions. |
session.locks | The table collecting locks linked to the user sessions. |
session.logins | The table collecting all session logins. |
session.logouts | The table collecting all session logouts. |
session.unlocks | The table collecting unlocks linked to user sessions. |
software_metering.meter_configurations | meter_configuration |
software_metering.events | event |
web.errors | The table collecting errors of defined business-critical services. |
web.events | The table collecting events of defined business-critical services. |
web.page_views | Table collecting page views of defined business-critical services. |
web.transactions | The table collecting transactions of defined business-critical services. |
workflows | workflow |
workflow.executions | execution |
workflow.executions_summary | execution_summary |
Namespace device
The device namespace includes one large devices table, which has multiple fields referring to device properties such as hardware, operating system and also Nexthink Collector.
devices
Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.
Field | Type | Description | Supported platforms |
|---|---|---|---|
ad_site | string | AD site: Indicates the site to which the device is assigned to in Active Directory (AD). Details: In case the device is not part of a domain, the value shows as "-". | Windows |
boot.days_since_last_full_boot | integer | Days since last full boot: The number of days since the device last boot following a restart or a complete shutdown. | Windows |
boot.last_full_boot_duration | duration | Last full boot duration: The duration of the device last boot following a restart or a complete shutdown. | Windows |
boot.last_full_boot_time | datetime | Last full boot time: The date and time of the device last boot following a restart or a complete shutdown. | Windows |
collector.last_update_status | string | Collector last update status: The last update status received from a specific Collector instance. | Windows |
collector.last_update_status_date | datetime | Collector last update status date: The reception date of the last update status for a specific Collector instance. | Windows |
collector.local_ip | ipAddress | Collector local IP: The local IP used for the traffic between the endpoint and the Nexthink Instance. | Windows |
collector.tag_id | integer | Collector tag: The configurable number that identifies a group of Collector instances. The tag is useful for defining the entities to build hierarchies. Details: An optional field that must be an integer number between 0 and 2147483647. Could complement the Collector string tag. | |
collector.tag_string | string | Collector string tag: The configurable label that identifies a group of Collector instances. The string tag is useful for defining the entities to build hierarchies. Details: An optional field, with a maximum length of 2048 characters. Could complement the Collector tag. | Windows |
collector.target_update_date | datetime | Collector target update date: The date when the devices install the target version. | Windows |
collector.target_version | version | Collector target version: The version to which all Collector instances update next. | Windows |
collector.uid | uuid | UID: The Collector unique identifier, provided using the UUID format. | |
collector.update_group | string | Collector update group: For scheduling separate waves of Collector updates, the devices are assigned to one of the available update groups.Possible values:
Details: By default, 10% of all the Collector instances are assigned to the Pilot update group. The Pilot group starts updating two days after a new Collector version is available. The Main group starts updates 14 days after the Pilot group. | Windows |
collector.version | version | Collector version: Indicates the version of the Collector instance installed on the device. | Windows |
connectivity.last_connectivity_type | enumeration | Connectivity type: Last type of network adapter used. Possible values are:
| Windows |
connectivity.last_local_ip | ipAddress | Local IP: The last local IP address for the primary physical network adapter of the device. | Windows |
days_since_first_seen | integer | Days since first seen: The number of days since the first time the device was seen by the Nexthink instance. | Windows |
days_since_last_seen | integer | Days since last seen: The number of days since the last time the device was seen active by the Nexthink instance. | Windows |
distinguished_name | string | Distinguished name: The unique identifier of a device when joined to a domain or workgroup. Details: Shows as "-" when the device is not part of a domain or workgroup. | Windows |
entity | string | Entity: A customizable field used for organizing a group of devices into logical groups. | Windows |
first_seen | datetime | First seen: The date and time the device was first seen by the Nexthink instance. | Windows |
group_name | string | Group name: The name of the security group containing the device when joined to a domain or workgroup. | Windows |
hardware.bios_serial_number | string | BIOS serial number: The serial number of the motherboard. Details: On macOS, this is the same as the chassis serial number. | Windows |
hardware.chassis_serial_number | string | Chassis serial number: The chassis serial number. Details: On macOS, this is the same as the BIOS serial number. | Windows |
hardware.machine_serial_number | string | Machine serial number: The unique serial number of the device in a UUID format. | Windows |
hardware.manufacturer | string | Manufacturer: The short name of the device manufacturer. Details: While devices might natively report slight variations of it, for example, sometimes dependent on the model or year of introduction, the information is simplified to ensure consistency across different devices of the same manufacturer. | Windows |
hardware.memory | bytes | Installed memory: The total amount of random-access memory (RAM) installed on the device. | Windows |
hardware.model | string | Device model: The model of the device. Details: On Windows, it is provided by the device manufacturer using the WMI interface as the product name. | Windows |
hardware.product_id | string | Product ID: A variant of a specific device model, sometimes also referred to as the SKU number. Details: Provided by the device manufacturer through the WMI interface as the SKUNumber. | Windows |
hardware.product_line | string | Product line: The product line or hardware version information. Details: Provided by the device manufacturer through the WMI interface as the product version. | Windows |
hardware.type | enumeration | Device type: The device form factor:
| Windows |
last_seen | datetime | Last seen: The date and time of the last device activity received by the Nexthink instance. | Windows |
license_type | enumeration | License type: The type of license used for this device. Possible values:
| Windows |
location.type | string | Location type: The type of location indicates whether the device is onsite or remote. | Windows |
login.last_login_user_name | string | Last logged in user: The name of the user associated to the last login on the device. | Windows |
membership_type | enumeration | Membership type: The type of computer group membership. Possible values:
| Windows |
name | string | Name: The name of the device as used by the operating system for identification purposes on the local network. Details: Source:
| Windows |
operating_system.architecture | enumeration | Architecture: The architecture of the device operating system. The instruction set it can natively execute. Details: Possible values:
| Windows |
operating_system.build | version | Build: The build number of the operating system. Details: The build number is set to "0.0.0.0" if the Collector version is incompatible or the data is not yet available. | Windows |
operating_system.days_since_last_update | integer | Days since last system update: The number of days since the last system update. | Windows |
operating_system.is_activated | bool | Is activated: The Windows license activation status. Details: macOS does not require a license since OSX 10.9 Mavericks (released in 2013), and shows as "-". | Windows |
operating_system.last_update | datetime | Last system update: The date and time of the last system update. | Windows |
operating_system.name | string | Name: The combination of the name, version and architecture (when applicable) of the operating system. Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value. | Windows |
operating_system.platform | enumeration | Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties. Details: Possible values are:
| Windows |
operating_system.wmi_status | enumeration | WMI status (deprecated): This field is deprecated and will be replaced in the future. Details: The status of the WMI extension Collector relies on for device identification. Used internally to mitigate potential transient issues with this particular WMI source. | Windows |
organization.entity | string | Entity: The organizational entity to which the device belongs. | |
public_ip.city | string | City: The city where the device is located. | Windows |
public_ip.country | string | Country: The country where the device is located. | Windows |
public_ip.ip_address | ipAddress | Public IP address: The public IP address of the device. | Windows |
public_ip.isp | string | ISP: The internet service provider of the device. | Windows |
public_ip.state | string | State: The subdivision (for example, state) where the device is located. | Windows |
sid | string | SID: The Security Identifier (SID) of the device, often used for identification and permission control purposes. | Windows |
uid | uuid | Device UID: Unique identifier of the device. | Windows |
user_account_control_status | enumeration | User account control status: Indicates if the User Account Control (UAC) is configured, forcing applications to request explicit approval from the user to make changes to the computer or to run with elevated permissions. Details: Possible values:
| |
virtualization.desktop_broker | enumeration | Desktop broker: Name of the desktop virtualization product used to broker the remote desktop connections. | Windows |
virtualization.desktop_pool | string | Desktop pool name: The hardware characteristics of the associated virtual machines. | Windows |
virtualization.disk_image | string | Disk image: Name of the disk image used to deploy the virtual machine. | Windows |
virtualization.environment_name | string | Environment name: Name of the connector used to retrieve the virtualization details. | Windows |
virtualization.hostname | string | Virtualization hostname: The physical device on which the virtual machine is hosted. | Windows |
virtualization.hypervisor_name | string | Hypervisor name: The hardware virtualization system running the virtual machine. | Windows |
virtualization.instance_size | string | Instance size: A predefined configuration that determines the CPU, memory and storage which is allocated to a virtual machine. | Windows |
virtualization.last_update | datetime | Last update: Date and time when the desktop virtualization information was last updated. | Windows |
virtualization.region | string | Region: Geographical areas where one or more Microsoft Azure data centers are located. | Windows |
virtualization.type | enumeration | Desktop pool type: The type of the desktop pool. Possible values are:
| Windows |
antiviruses
The list of antivirus registered on the device and reported through WMI.
Field | Type | Description | Supported platforms |
|---|---|---|---|
is_up_to_date | enumeration | Up to date: The up-to-date status of the antivirus. Possible values are:
| Windows |
name | string | Name: The name of the main antivirus. | Windows |
real_time_protection | enumeration | Real-time protection: The status of the antivirus real time protection (RTP). Possible values are:
| Windows |
cpus
The list of CPU model names and their nominal clock speeds.
Field | Type | Description | Supported platforms |
|---|---|---|---|
frequency | integer | CPU frequency: The CPU base frequency in MHz. The base frequency can be much smaller than the maximum turbo frequency. For example, the Intel Core i7-8565U CPU has a base frequency of 1.80 GHz and a maximum frequency of 4.6 GHz. | Windows |
name | string | CPU name: The CPU model. | Windows |
number_of_cores | integer | Number of cores: The number of CPU cores. | Windows |
number_of_logical_processors | integer | Number of logical processors: The number of CPU cores multiplied by the number of threads that can run on each core using hyperthreading. | Windows |
disks
The list of storage devices.
Field | Type | Description | Supported platforms |
|---|---|---|---|
capacity | bytes | Capacity: The disk capacity. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | Windows |
is_bootable | bool | Is bootable: Returns the value "yes" when the device boots from that disk. | Windows |
name | string | Name: The name of the physical or virtual disk drive. | Windows |
type | enumeration | Type: The type of drive. Possible values are:
| Windows |
firewalls
The list of firewalls registered on the device and exposed through the Windows Security Center.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of the main firewall. | Windows |
real_time_protection | enumeration | Real-time protection: The status of the firewall real time protection (RTP). Possible values are:
| Windows |
gpus
The graphics processing unit.
Field | Type | Description | Supported platforms |
|---|---|---|---|
memory | bytes | Memory: The video memory in bytes. | Windows |
name | string | Name: The graphics card name. | Windows |
local_admins
The list of users and groups that are members of the local Administrators group on the device.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The users who are members of the local Administrators group on the device. | Windows |
type | enumeration | Type: The type of the user. Possible values are:
| Windows |
monitors
The list of monitors connected to the device.
Field | Type | Description | Supported platforms |
|---|---|---|---|
diagonal_size | float | Diagonal size: The diagonal size in inches. | Windows |
horizontal_resolution | integer | Horizontal resolution: The maximum horizontal resolution in pixels. | Windows |
name | string | Name: The monitor name. | Windows |
serial_number | string | Serial number: The monitor serial number. | Windows |
vendor | string | Vendor: The monitor vendor. | Windows |
vertical_resolution | integer | Vertical resolution: The maximum vertical resolution in pixels. | Windows |
volumes
The list of logical storage volumes.
Field | Type | Description | Supported platforms |
|---|---|---|---|
capacity | bytes | Capacity: The volume capacity in bytes. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | Windows |
name | string | Name: The name of the volume. | Windows |
system | bool | Operating system volume: Returns the value "yes" when the volume contains the operating system. | Windows |
usage | float | Usage: The volume usage in percent. | Windows |
Namespace binary
Table of binaries. A binary is an executable binary file identified by its hash code.
binaries
Table of binaries. A binary is an executable binary file identified by its hash code.
Field | Type | Description | Supported platforms |
|---|---|---|---|
architecture | enumeration | Architecture: The operating system architecture the binary is compiled for (32-bit or 64-bit). | Windows |
company | string | Company: The name of the company that produced the binary. Details: Information retrieved from the file properties. | Windows |
description | string | Description: Used for describing the purpose of the file or to complement the name with additional details. Details: Information retrieved from the file properties. | Windows |
first_seen | datetime | First seen: The date and time the binary was first seen by the Nexthink instance. | Windows |
has_user_interface | bool | Has user interface: Indicates if the binary has an interactive window while running. Details: Reported value is NULL (or 'false') if the binary has no interactive window or if the information is not available. | Windows |
last_seen | datetime | Last seen: The date and time of the last binary activity received by the Nexthink instance. | Windows |
md5_hash | bytea | MD5 hash: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The MD5 hash represented in the base64 format. | Windows |
name | string | Name: The file name of the binary executed. | Windows |
platform | enumeration | Platform: The operating system family on which the binary natively runs. Details: Possible values are:
| Windows |
product_name | string | Product name: The name of the application associated with the file. Details: Information retrieved from the file properties. | Windows |
sha-1_hash | bytea | SHA-1 hash: The SHA-1 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-1 hash represented in the hex format. | Windows |
sha-256_hash | bytea | SHA-256 hash: The SHA-256 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-256 hash represented in the hex format. | Windows |
size | bytes | Size: The size of the binary file, in bytes. | Windows |
uid | uuid | Binary UID: The unique identifier for the binary. | Windows |
version | version | Version: The version of the binary file, retrieved from the file properties. | Windows |
Namespace user
The users table within the user namespace, includes information about the individual accounts across the IT infrastructure. It contains all employees recognized by your Nexthink instance. Most of the table fields are derived from Entra ID and are included in the "ad" grouping. A user may have access to more than one device.
users
Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.
Field | Type | Description | Supported platforms |
|---|---|---|---|
ad.city | string | City: The name of the city the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.country_code | string | Country code: The country or region the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: The country or region is represented as a two-character code based on the ISO-3166 standard. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.department | string | Department: The name of the department the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.distinguished_name | string | Distinguished name: The unique identifier of a domain user for an on-premises Active Directory (AD). Requirements: Requires one or more connectors for Entra ID correctly configured, and Entra ID needs to be synchronized with an on-premises AD. Details: The distinguished name follows the LDAP syntax. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.email_address | string | Email address: The email address of the user. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.full_name | string | Full name: The name displayed in the address book for the user. This is usually the combination of the user first name, middle initial and last name. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.job_title | string | Job title: The job title assigned to the user in Active Directory. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.last_update | datetime | Last update: The date and time of the last update received for the user information from Entra ID. | Windows |
ad.office | string | Office: The name of the physical location or office the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.organizational_unit | string | Organizational unit name: The name of the directory folder containing the user account. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
ad.username | string | AD Username: The name of the user account as it appears in Entra ID. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured. | Windows |
days_since_first_seen | integer | Days since first seen: The number of days since the first time the user account was seen by the Nexthink instance. | Windows |
days_since_last_seen | integer | Days since last seen: The number of days since the last time the user account was seen active by the Nexthink instance. | Windows |
first_seen | datetime | First seen: The date and time the user account was first seen by the Nexthink instance. | Windows |
last_seen | datetime | Last seen: The date and time of the last user account activity received by the Nexthink instance. | Windows |
name | string | Username: The name of the user account on the local device. Requirements: The collector is configured to report the username: Configuring Collector level anonymization Details: Depending on the configuration, the Collector reports username in cleartext, as a hashed value or not at all. | Windows |
sid | string | SID: The unique security identifier (SID) of the user account on Windows. Details: On Windows, each user account has a unique security identifier (SID) used to provide access to system resources. On macOS, a unique SID is generated by Nexthink to facilitate user identification. | Windows |
type | enumeration | Type: The type of the user account. Details: Nexthink recognizes three types of user accounts:
| Windows |
uid | uuid | User UID: The value that uniquely identifies a user on the Nexthink platform. | Windows |
upn | string | UPN: The User Principal Name (UPN), a unique identifier for a user account Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Names (UPN) is a standardized identifier for users (RFC822). Normally, it takes the form of an email address. The UPN allows to uniquely identify a user across systems, for example, devices with different OS platforms. Nexthink uses the UPN to enrich user objects with data from third-party services. | Windows |
upn_privacy_level | enumeration | UPN privacy level: Indicates how securely the User Principal Name (UPN) is stored by the Nexthink instance. Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Name (UPN) privacy level is a Collector configuration parameter on the user device. Depending on the configuration, the Collector reports UPN in cleartext, as a hashed value or not at all. The options are represented by the following values:
| Windows |
Namespace alert
The alert namespace consists of two tables: alerts and monitors. Monitors store sets of rules configured by Nexthink users (monitor name, threshold, priority, etc.), describing acceptable limits for metrics. Alerts store information about instances where metric values go outside normal parameters as defined in monitors. You may want to query the alerts table if you have permission to run investigations but are not allowed to access alerts dashboards or when creating dashboards for reporting.
monitors
The table of defined alert monitors in the system.
Field | Type | Description | Supported platforms |
|---|---|---|---|
comparison_operator | enumeration | Comparison operator: Determines when a monitor should trigger an alert. Details: It is one of the key elements used to define the conditions within a monitor in order to trigger an alert. It is specifically utilized when setting up the breaching criteria for the primary metric. A comparison operator allows for the comparison of values to determine if the specified condition is met.
| |
multiple_contexts | bool | Multiple-context: Indicates if the monitor triggers alerts with different contexts. Details: The value is set to "Yes" when NQL has a "group by" clause. | |
name | string | Monitor name: The assigned name of a configured monitor. Details: A monitor is a defined set of metrics and conditions used to continuously observe a system or process and trigger an alert when certain criteria are met. | |
nql_id | string | NQL ID: The unique NQL identifier of the monitor. Details: NQL ID cannot be changed after initial creation. | |
origin | enumeration | Monitor origin: Indicates where the monitor originates from. Monitors can be built-in to the Nexthink platform (system), installed using a library pack (library) or created manually (custom) | |
priority | enumeration | Priority: The importance of alerts that are triggered by the monitor. Details: Possible values are:
defined by the user in the monitor configuration. | |
status | enumeration | Status: The status of the monitor as set in the "Manage monitors". Details: Possible values are:
| |
tags | jsonArrayString | Alert tags: List of user-defined labels that are assigned to a monitor and subsequently utilized for filtering alerts that are generated by the monitor. Details: Tags are created and specified within the monitor configuration. By assigning tags to monitors, users can categorize and organize monitors based on specific criteria, making it easier to filter and manage alerts based on these tags. | |
threshold | float | Threshold: It defines the value of the primary metric that must be exceeded for the monitor to trigger an alert. Details: The threshold value serves as a reference point against which the metric actual value is compared to determine if it breaches the defined condition and triggers an alert. | |
thresholds | jsonArrayString | Thresholds: It contains the values of all metrics that need to be breached to trigger an alert. | |
type | enumeration | Monitor type: The chosen method used for monitoring. It identifies the specific approach employed to observe and evaluate the system or process being monitored. Details: Possible values are:
|
alerts
The table collecting information about instances where metric values go outside normal parameters as defined in monitors.
alerts are punctual events.
alerts are associated to user, device, monitor
Field | Type | Description | Supported platforms |
|---|---|---|---|
context | jsonArrayString | Context: The relevant information needed to understand alert. Details: Depending on the alert, the context information may contain the name of the binary, device or user associated with the alert. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
context_hash | string | Context hash: The unique fingerprint of the alert context. Details: The fingerprint is created by calculating an MD5 hash context. | |
duration | duration | Alert duration: The duration when the alert is active. Details: It is calculated as the time between the trigger and the recovery if the alert is closed, or between the trigger and now if the alert is open. | |
is_auto_recovery | bool | Auto-recovery: Indicates if the alert was auto-recovered. Details: Auto-recovery takes place when there are no events recorded for the metric(s) specified in the monitor configuration within the selected timeframe. | |
is_grouped | bool | Group alert: It represents a situation where too many alerts have been generated by a single monitor at the same time. The monitor will not generate any more alerts until the situation has been resolved. | |
number_of_alerts | long | Number of alerts: The number of alerts triggered. | |
recovery_reference_value | float | Recovery reference value: It contains the reference value of the main (first) monitored metric that is checked to recover an alert. | |
recovery_time | datetime | Recovery time: Contains the date and time at which the alert was recovered. | |
recovery_value | float | Recovery value: The value of the metric that caused the alert to be recovered. Equal to the first metric value if more than one trigger condition is defined. | |
recovery_values | jsonArrayString | Recovery values: The lists of values of all the monitored metrics reported when the alert has recovered. | |
status | enumeration | Status: The status of the alert event. The status can be open or closed. Details:
| |
time | datetime | Alert time: Alert bucket time. | |
trigger_reference_value | float | Trigger reference value: The reference value of the metric against which the current value was compared to trigger the alert. | |
trigger_time | datetime | Trigger time: The date and time when the alert was raised. | |
trigger_value | float | Trigger value: The value of the metric that bypassed the threshold defined in the monitor configuration and caused the alert to be raised. Details: Equal to the first metric value if more than one trigger condition is defined | |
trigger_values | jsonArrayString | Trigger values: The values of the metrics that bypassed the thresholds defined in the monitor configuration and caused the alert to be raised. | |
uid | uuid | Alert event UUID: The unique identifier of the alert event. |
impacts
The table collecting information about instances of an alert impact.
impacts are punctual events.
impacts are associated to user, device, monitor
Field | Type | Description | Supported platforms |
|---|---|---|---|
alert_uid | uuid | Associated alert event UUID: The unique identifier of the associated alert event. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration | duration | Impact duration: The duration of the impact. Details: It is calculated as the time between the "from_time" and the "to_time" if there is more than one trigger, or between the "from_time" and now if there is only one trigger. | |
from_time | datetime | Impact from: Impact from | |
to_time | datetime | Impact to: Impact to |
Namespace application
The application namespace contains a set of tables that store information about business-critical services configured by Nexthink users in the Application module. The tables include configuration data such as the name and ID of each application, as well as defined key pages and transactions. These tables can be queried alongside associated tables to help identify issues with business-critical services.
applications
Table of defined applications.
Field | Type | Description | Supported platforms |
|---|---|---|---|
category | enumeration | Category: The category of the application. We have two categories, connectivity and standard. Requirements: The applications need to be defined through the application configuration menu. Details: Connectivity applications (for example, VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' category when applicable. | |
name | string | Name: The name of the web, desktop or hybrid application. Requirements: The applications need to be defined through the Applications configuration menu. Details: More info from the documentation |
network_applications
Table of defined network applications.
Field | Type | Description | Supported platforms |
|---|---|---|---|
category | enumeration | Category: The category of the network application. We have two categories, connectivity and standard. Requirements: The network applications need to be defined through the application configuration menu. Details: Connectivity applications (for example, VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' category when applicable. | |
name | string | Name: The name of the network application. Requirements: The network applications need to be defined through the Applications configuration menu. Details: More info from the documentation |
pages
Table of defined key pages.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of the key page defined for a web application. Key pages divide a web application into functionally relevant parts based on URL patterns. Requirements: The key pages need to be defined through the application configuration menu. Details: More info from the documentation |
transactions
Table of defined transactions.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of the transaction defined for a web application. A transaction is an employee action or event in a web application that creates business value for the company. Requirements: The transactions need to be defined through the application configuration menu. Details: More info from the documentation |
Namespace campaign
The campaign namespace consists of two tables. The campaign table stores information about campaigns configured by Nexthink users (such as campaign id, name, trigger method, etc.). The responses table collects all responses to campaigns. It indicates whether the employee declined or postponed the campaign or how many questions they answered.
campaigns
The table collecting all active and retired campaigns.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of a campaign. Details: User defined through the Campaigns user interface or Finder | |
nql_id | string | NQL ID: The unique identifier of a campaign. Details: The NQL ID cannot be changed after its initial creation. | |
priority | enumeration | Priority: The configured priority of the campaign. Details: The campaign priority influences which employee protection rules are applied: urgent campaign bypass the do-not-disturb rules unlike normal campaigns.
| |
status | enumeration | Status: The current status of the campaign. Details: Possible values:
| |
trigger_method | enumeration | Trigger: The possible ways of triggering the campaign. Details: Possible values:
|
responses
The table collecting responses (expected or given) of a campaign by an employee.
responses are punctual events.
responses are associated to user, device, campaign
Field | Type | Description | Supported platforms |
|---|---|---|---|
answers | string | Answers: The campaign answers (details and values) given by the employee. Details: The answers are structured as a JSON object that includes, for each answered question. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
displayed_language | enumeration | Displayed language: The language in which the content of a multilingual campaign was shown to the employee. Details: Applicable only to multilingual campaigns.
| |
expiry_date | datetime | Expiry Date: Show the expiry date and time of an employee campaign request. | |
first_displayed | datetime | First displayed time [Local]: The date and time at which the employee saw the campaign for the first time, adjusted to your local time. | |
first_planned | datetime | First planned time [Local]: The date and time at which the campaign is set to the planned state first, adjusted to your local time. | |
first_targeted | datetime | First targeted time [Local]: The date and time at which the campaign is set to the targeted state first, adjusted to your local time. | |
historical_state | jsonArrayString | Historical states: It describes the historical state updates for an employee campaign response. Details: The times are sorted chronologically. | |
historical_state_details | jsonArrayString | Historical state details: The historical state details updates for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. | |
historical_time | jsonArrayString | Historical times: The historical update times for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. | |
number_of_answered_questions | integer | Number of answered questions: The number of questions answered by the employee. | |
parameters | string | Parameters: It indicates the value of all campaign parameters as defined when triggering this campaign response. | |
request_id | string | Request ID: The unique identifier generated at the time the user was targeted for that campaign. Details: The request ID is the unique identifier for a campaign response. The same user may have different requests with different request ID if the user was targeted several times for the same campaign. | |
state | enumeration | State: It describes the current state of the campaign response. Details: Possible values:
| |
state_details | enumeration | State Details: It describes the current state details of the campaign response. Details: The possible state details depend on the current state.
| |
time | datetime | Time [Local]: The date and time when the response was updated for the last time, adjusted to your local time. | |
trigger_method | enumeration | Trigger method: It describes the trigger method that was used to target the user for the campaign. Details: Possible values:
|
Namespace collaboration
The collaboration namespace consists of only one table: sessions, which refers to all meetings performed with collaboration tools such as Teams and Zoom. It stores detailed information about each meeting, including its duration, connection type, equipment used, audio and video quality, among other details. This data is used to monitor critical collaboration applications, for example, using dashboards with call quality overview.
sessions
Table collecting meetings performed with collaboration tools such as Teams or Zoom.
sessions are punctual events.
sessions are associated to device, user
Field | Type | Description | Supported platforms |
|---|---|---|---|
application.type | enumeration | Application type: Type of the application used for a given call. Possible values are:
| |
application.version | version | Application version: Application version used during the session. Requirements: This requires
See more details in the related documentation. | |
audio.inbound_jitter | duration | Audio inbound jitter: Average change in delay between successive inbound audio packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.inbound_latency | duration | Audio inbound latency: The time it takes an inbound audio packet to reach a participant’s device. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.inbound_packet_loss | float | Audio inbound packet loss: Ratio of inbound audio packets that never reach their destination compared to the total of audio packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.inbound_rocs | float | Audio inbound ROCS: Ratio comparing the number of audio frames generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.inbound_rtt | duration | Audio inbound RTT: Time an audio packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.outbound_jitter | duration | Audio outbound jitter: Average change in delay between successive outbound audio packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.outbound_latency | duration | Audio outbound latency: The time it takes an outbound audio packet to reach its destination from a participant’s device. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.outbound_packet_loss | float | Audio outbound packet loss: Ratio of outbound audio packets that never reach their destination compared to the total number of outbound audio packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.outbound_rocs | float | Audio outbound ROCS: Average ratio comparing the number of outbound audio frames with concealed samples generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.outbound_rtt | duration | Audio outbound RTT: Time an outbound audio packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
audio.quality | enumeration | Audio call quality: Assessment of the audio call quality. Possible values are:
| |
call.end_time | datetime | Call end time: Time when the last user left the call. Requirements: This requires
See more details in the related documentation. | |
call.id | string | Call ID: Unique identifier for the call record. | |
call.start_time | datetime | Call start time: Time when the first user joined the call | |
connection_type | enumeration | Connection type: The internet connection type for a participant in a given call. Possible values are:
| |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration | duration | Session duration: Time between the start time and end time of the session. Requirements: This requires
See more details in the related documentation. | |
end_time | datetime | Session end time: Time when the user left the call. Requirements: This requires
See more details in the related documentation. | |
has_screen_share | bool | Has screen share: Indicates if screen sharing was used during the call. Requirements: This requires
See more details in the related documentation. | |
has_video | bool | Session contains video: Indicates if video was used during the call. Requirements: This requires
See more details in the related documentation. | |
id | string | Session ID: Unique identifier of the session. Requirements: This requires
See more details in the related documentation. Details: Peer-to-peer calls typically only have one session, whereas group calls typically have at least one session per participant. | |
participant_device.camera | string | Camera: Camera used during the session. Requirements: This requires
See more details in the related documentation. | |
participant_device.mac_address | string | MAC address: MAC address of the participant's device during the session. Requirements: This requires
See more details in the related documentation. | |
participant_device.microphone | string | Microphone: Microphone used during the session. Requirements: This requires
See more details in the related documentation. | |
participant_device.speaker | string | Speaker: Speaker used during the session. Requirements: This requires
See more details in the related documentation. | |
participant_device.type | enumeration | Device type: Participant’s device type during the session. Possible values are:
| |
participant_failed_to_connect | string | Participant failed to connect: Indicates whether participant failed to connect the call or not Requirements: This requires
See more details in the related documentation. | |
participant_got_disconnected | string | Participant got disconnected: Indicates if participant got disconnected during the call. Requirements: This requires
See more details in the related documentation. | |
start_time | datetime | Session start time: Time when the user joined the call. Requirements: This requires
See more details in the related documentation. | |
video.inbound_frame_rate | integer | Video inbound frame rate: Frequency at which inbound frames appear on a display. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.inbound_jitter | duration | Video inbound jitter: Average change in delay between successive inbound video packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.inbound_latency | duration | Video inbound latency: Time it takes an inbound video packet to reach a participant’s device. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.inbound_packet_loss | float | Video inbound packet loss: Ratio of inbound video packets that never reach their destination compared to the total number of inbound video packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.inbound_rtt | duration | Video inbound RTT: Time an inbound video packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.outbound_frame_rate | integer | Video outbound frame rate: The frequency at which outbound frames appear on a display. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.outbound_jitter | duration | Video outbound jitter: Average change in delay between successive outbound video packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.outbound_latency | duration | Video outbound latency: The time it takes an outbound video packet to reach its destination from a participant’s device. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.outbound_packet_loss | float | Video outbound packet loss: Ratio of outbound video packets that never reach their destination compared to the total number of outbound video packets. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.outbound_rtt | duration | Video outbound RTT: Time an outbound video packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. | |
video.quality | enumeration | Video call quality: Assessment of the video call quality. Possible values are:
|
Namespace connection
The connections namespace contains a set of tables which allow troubleshooting connections-related issues along three dimensions: binary/ application, device (incl. location), and destination (incl. location). The tables contain sampled events with data and metrics about network connections initiated by an application on the device of the user.
Please note: Connections events are only available for devices with Collectors that report "Infinity only".
events
The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).
events are sampled events.
events are associated to binary, device, user, application, network_application
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration: The duration of the time bucket. Requirements: Exclusive to Nexthink Infinity | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
destination.country | string | Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL. | |
destination.datacenter_region | string | Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
| |
destination.domain | string | Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization. Details: Support for most web requests. | |
destination.ip_address | ipAddress | IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. | |
destination.ip_subnet | ipAddress | Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. | |
destination.owner | string | Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
| |
destination.port | numeric | Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity | |
destination.type | enumeration | Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types:
| |
end_time | datetime | Bucket end: Time bucket's end time and date. Requirements: Exclusive to Nexthink Infinity | |
establishment_time | duration | Connection RTT: Average round trip time of the TCP connection establishment. Requirements: Exclusive to Nexthink Infinity Details: Average round trip time for all established connections. The round trip time is measured between sending the SYN (synchronize) message and receiving the SYN-ACK (synchronize-acknowledge) message from the remote party during the TCP connection establishment, a 3-way handshake. | |
incoming_traffic | bytes | Incoming traffic: Bytes received by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes received by the application include the traffic from all TCP connections. | |
ip_version | enumeration | IP version: The Internet Protocol (IP) version used for this connection: IPv4 or IPv6. Requirements: Exclusive to Nexthink Infinity | |
number_of_alive_connections | long | Alive connections: The number of connections that were established in a previous time bucket and continue into the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Alive connections may end in the current time bucket or continue into the next time bucket. The system counts alive connections as successful. | |
number_of_connections | long | Total number of connections: The total number of failed and successful connections. Requirements: Exclusive to Nexthink Infinity | |
number_of_established_connections | long | Established connections: The number of connections that have been established in the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Established connections may continue into the next time bucket or they might end in the bucket they were established in. The system counts established connections as successful. | |
number_of_failed_connections | long | Failed connections: The total number of failed connections. Requirements: Exclusive to Nexthink Infinity Details: Failed connections are calculated as the sum of rejected, no host, and no service connections. | |
number_of_no_host_connections | long | Failed connections - no host: The number of connections that failed due to the device not reaching the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the destination host when the destination host does not acknowledge the TCP SYN message, for example, the remote party does not exist or a firewall blocks the connection request. The system counts 'no host' connections as failed connections. | |
number_of_no_service_connections | long | Failed connections - no service: The number of connections that failed due to the device not reaching the service on the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the service on the destination host when the destination host acknowledges the initial TCP SYN message by an RST message but no service is bound to the requested port. Note that a firewall protects most personal computers and discards RST messages to prevent port scanning. The system counts 'no service' connections as failed connections. | |
number_of_rejected_connections | long | Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: Exclusive to Nexthink Infinity Details: The operating system of the device or a local firewall rejects an outgoing connection. The system counts rejected connections as failed connections. | |
number_of_successful_connections | long | Successful connections: The total number of successful connections. Requirements: Exclusive to Nexthink Infinity Details: The system calculates successful connections as the sum of established and alive connections. | |
outgoing_traffic | bytes | Outgoing traffic: Bytes sent by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes sent by the application include the traffic from all TCP and UDP connections. | |
start_time | datetime | Bucket start: Time bucket's start time and date. Requirements: Exclusive to Nexthink Infinity | |
transport_protocol | enumeration | Transport protocol: The transport protocol of this connection: TCP or UDP. Requirements: Exclusive to Nexthink Infinity |
tcp_events
The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.
tcp_events are sampled events.
tcp_events are associated to binary, device, user, application, network_application
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
destination.country | string | Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL. | |
destination.datacenter_region | string | Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
| |
destination.domain | string | Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization. Details: Support for most web requests. | |
destination.ip_address | ipAddress | IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. | |
destination.ip_subnet | ipAddress | Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. | |
destination.owner | string | Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
| |
destination.port | numeric | Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity | |
destination.type | enumeration | Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types:
| |
end_time | datetime | Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity | |
establishment_time | duration | Connection RTT (deprecated): This field has been deprecated. Please use 'connection.event.establishment_time' instead. Requirements: Exclusive to Nexthink Infinity | |
incoming_traffic | bytes | Incoming traffic (deprecated): This field has been deprecated. Please use 'connection.event.incoming_traffic' instead. Requirements: Exclusive to Nexthink Infinity | |
ip_version | enumeration | IP version (deprecated): This field has been deprecated. Please use 'connection.event.ip_version' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_alive_connections | long | Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_connections | long | Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_established_connections | long | Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_failed_connections | long | Failed connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_failed_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_no_host_connections | long | Failed connections - no host (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_host_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_no_service_connections | long | Failed connections - no service (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_service_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_rejected_connections | long | Failed connections - rejected (deprecated): This field has been deprecated. Please use 'connection.event.number_of_rejected_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_successful_connections | long | Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
outgoing_traffic | bytes | Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity | |
start_time | datetime | Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity |
udp_events
The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.
udp_events are sampled events.
udp_events are associated to binary, device, user, application, network_application
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
destination.country | string | Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL. | |
destination.datacenter_region | string | Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
| |
destination.domain | string | Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization. Details: Support for most web requests. | |
destination.ip_address | ipAddress | IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. | |
destination.ip_subnet | ipAddress | Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. | |
destination.owner | string | Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
| |
destination.port | numeric | Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity | |
destination.type | enumeration | Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types:
| |
end_time | datetime | Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity | |
ip_version | enumeration | IP version (deprecated): This field has been deprecated. Please use 'connection.event.ip_version' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_alive_connections | long | Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_connections | long | Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_established_connections | long | Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
number_of_successful_connections | long | Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity | |
outgoing_traffic | bytes | Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity | |
start_time | datetime | Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity |
Namespace connectivity
Connectivity events offers details about IP networking performance. It can be used to detect and diagnose networking issues such as misconfigurations, poor Wi-Fi signal strength and other issues affecting employees in particular offices or when working from home. Useful trend data can also be obtained using this table.
events
Table collecting performance metrics and attributes specific to a device's connectivity.
events are sampled events.
events are associated to device
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration: Duration of the bucket. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
end_time | datetime | Bucket end: End time of the bucket. | |
primary_physical_adapter.dns_ips | ipAddressArray | List of DNS servers: List of DNS server IP addresses set for the primary physical network adapter. | |
primary_physical_adapter.gateway_ips | ipAddressArray | List of gateways: List of gateway IP addresses set for the primary physical network adapter. | |
primary_physical_adapter.local_ips | ipAddressArray | List of local IPs: List of local IP addresses set for the primary physical network adapter. | |
primary_physical_adapter.type | enumeration | Network adapter type: Type of the primary network adapter:
| |
start_time | datetime | Bucket start: Start time of the bucket. | |
wifi.band | enumeration | WiFi band (preview): The WiFi frequency band used:
| |
wifi.bssid | string | WiFi BSSID: The physical address of the access point or wireless router used to connect to the WiFi. Requirements: By default, Collector does not report the BSSID. Reporting has to be enabled with the WiFi network Collector configuration parameter. | |
wifi.channel_id | integer | WiFi channel ID: The channel ID of the WiFi used. | |
wifi.channel_width | integer | WiFi channel width: Width of the used WiFi channel in MHz. | macOS |
wifi.noise_level | integer | WiFi noise level: Average WiFi noise level in dBm. Details: The WiFi noise is a negative number. The lower, the better. A noise level below -80 dBm is considered good. | macOS |
wifi.p5_signal_strength | integer | WiFi p5 signal strength: 5th percentile of the RSSI. During the 15minutes period, the rssi was 95% of the time equal or larger than the receive value. Details: 5th percentile of the signal strength in dBm. | |
wifi.physical_layer_protocol | enumeration | WiFi physical layer protocol: The WiFi protocol used. Details: The possible values based on the IEEE 802.11 protocols:
| |
wifi.receive_rate | integer | WiFi receive rate: Receive rate for the WiFi adapter in Mbit/sec. | Windows |
wifi.signal_strength | integer | WiFi signal strength: Average WiFi signal strength in dBm. Details: The WiFi signal strength (RSSI) is a negative number. The higher (closer to 0), the better. A signal strength above -60 dBm is considered good. | |
wifi.ssid | string | WiFi SSID: The WiFi network name (SSID). Requirements: By default, Collector does not report the SSID. Reporting has to be enabled with the WiFi network Collector configuration parameter. | |
wifi.transmission_rate | integer | WiFi transmission rate: Transmission rate for the WiFi adapter in Mbit/sec. Details: This metric provides the best understanding of the quality of the WiFi connection. Higher values are better. |
Namespace device_performance
The device performance namespace gathers tables that store information related to boots, crashes and other device performance indicators. Querying them allows users to investigate system issues.
boots
The table collecting boots of devices.
boots are punctual events.
boots are associated to device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration | duration | Boot duration: The duration of the boot. | Windows |
number_of_boots | integer | Number of boots: The number of device boots. | |
time | datetime | Time: The date and time of the boot. | |
type | enumeration | Type: The type of the boot. Possible values are:
|
events
The table collecting performance metrics and attributes specific to a device.
events are sampled events.
events are associated to device
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
cached_memory | bytes | Cached memory: The average amount of RAM used for caching and that can be freed up without writing it to the storage first. A higher value indicates that the operating system is optimizing access to more content that otherwise would be available from slower storage. Details: Low value (below 1GB) can signal that the system could benefit from more memory. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
cpu_interrupt_usage | float | CPU usage by interrupts: The average share of time while the processor needs to handle hardware interrupts. These interrupts have higher priority than applications and other tasks and a high value could signal potential hardware or driver issues, some applications competing for shared hardware resources. Details: Usually should be below 2% and anything above 5% is considered high and often have a perceivable effect on user experience like input lag and degraded responsivity. | Windows |
cpu_queue_length | integer | CPU queue length: The average CPU queue length indicates how many threads are waiting for their turn to get execution time on one of the available logical processors during the observed period of time. Details: Values higher than the double of available logical processors for an extended period of time signal that the workload could benefit from a CPU with higher core count and better multi-threading capabilities. | Windows |
cpu_usage | float | CPU usage: The average of the total CPU usage of all logical processors for the time period. Maximum value is 100% * number of logical processors available in the system. Details: Suitable for sizing purposes. For example, how many vCPUs would be required if this workload was about to move to a remote desktop? | |
disk_queue_length | float | Queue length of the system drive: The average number of storage input and output tasks waiting to be executed on the system drive. Details: A high number indicates slow storage devices, when applications might have low performance due to waiting for storage access. Anything above 1 is usually to be avoided. | Windows |
disk_read_latency | duration | Read latency of the system drive: The average time the operating system and applications wait for read tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average disk latency should be no more than 10 milliseconds, and 20 milliseconds during peak time. | Windows |
disk_write_latency | duration | Write latency of the system drive: The average time the operating system and applications wait for write tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average the disk latency should be no more than 10 milliseconds and 20 milliseconds during peak time. | Windows |
duration_with_high_cpu_interrupt_usage | duration | Duration with high CPU interrupt usage: The duration with high CPU interrupt usage, calculated based on number of samples above the 5% threshold and a sampling frequency of 30 seconds. | Windows |
duration_with_medium_cpu_interrupt_usage | duration | Duration with medium CPU interrupt usage: The duration with medium CPU interrupt usage. Calculated based on number of samples above 2% threshold and a sampling frequency of 30 seconds. | Windows |
end_time | datetime | Bucket end: The end time of the bucket. | |
free_memory | bytes | Free memory: The additional average amount of RAM available for applications or the operating system. Details: What is considered a healthy amount of free memory depends on the workload (how bursty the memory requirements are) and can greatly vary. Less then 10% of the installed memory is generally considered as a potential bottleneck. | |
gpu_1_name | string | Name of the first GPU: The full name of the first GPU returned by the OS. | |
gpu_1_usage | float | GPU usage (1st GPU): Shows if applications are benefitting from the acceleration capabilities of the first GPU. Details: High, continued usage (80 to 90%) can signal the GPU being a bottleneck. | |
gpu_2_name | string | Name of the second GPU: The full name of the second GPU returned by the OS. | |
gpu_2_usage | float | GPU usage (2nd GPU): Shows if applications are benefitting from GPU acceleration. High continued usage (80 to 90%) can signal the GPU being a bottleneck. Details: High continued usage (80 to 90%) can signal the GPU being a bottleneck. | |
installed_memory | bytes | Installed memory: The total size of the RAM physically installed in the device. | |
memory_swap_rate | bytes | Bytes wrote to swap memory per second: The speed that content is being written to disk to free up memory. Details: Continued frequent spikes can signal that the memory is a bottleneck for running the given tasks. It can indicate periods of lower performance. | |
memory_swap_size | bytes | Swap memory size: The average size of the swap file being actively utilized by the operating system. This can impact the amount of available storage for other applications. Details: Continued high values can indicate slower performance in general. What is considered a high value is workload dependent. Having more than 5GB of swap storage is usually considered excessive. As a best practice, the storage should be able to accommodate as much swap space as the amount of installed physical memory to able to support heavier then usual workloads. | |
non_paged_pool_memory | bytes | Non-paged pool memory: The amount of memory used by the operating system kernel and drivers that must remain in memory all the time. Details: A high increasing value shows a kernel or driver-level memory leak. | Windows |
non_system_drive_capacity | bytes | Non system drive capacity: The total size of all non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | |
non_system_drive_free_space | bytes | Non system drive free space: The amount of space available on all of the non-system drives. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more then 25% free space available most of the time. | |
non_system_drive_usage | bytes | Non system drive usage: The amount of used space on all of the non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | |
normalized_cpu_usage | float | Normalized CPU usage: The average CPU usage on a 0 to 100% scale for the time period. Indicates how much of the time the CPU is busy. Details: Continued 80 to 90% or higher value indicates if the CPU is a bottleneck for the workload. It does not consider the clock speed itself and will show high utilisation even if in theory the CPU could run at higher speeds but it is in fact (thermally) throttled. | |
number_of_logical_processors | integer | Number of logical CPU cores: The number of logical CPUs available for the operating system to execute tasks simultaneously. Details: Based on number of CPUs, their core count and their multi-threading capability. | |
paged_pool_memory | bytes | Paged pool memory: The amount of memory used by the operating system kernel and drivers that can potentially be written to storage if needed. Details: A high increasing value shows a kernel or driver-level memory leak. | Windows |
read_operations_per_second | integer | Read operations per second: The total number of read operations per second, across all physical storage available on the device. Details: Useful for understanding the intensity of read operations that the workflow requires when moving workloads between physical devices or to virtual machines. | Windows |
start_time | datetime | Bucket start: The start time of the bucket. | |
system_drive_capacity | bytes | System drive capacity: The total capacity of the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays the data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | |
system_drive_free_space | bytes | System drive free space: The free space on the system drive. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more than 25% free space available most of the time. | |
system_drive_usage | bytes | System drive usage: The amount of used space on the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS. | |
used_memory | bytes | Used memory: The average amount of RAM actively used by the applications and the operating system. Details: If the operating system needs to free up some memory (for example, for other applications taking priority or getting in the foreground) the content is written to disk. | |
write_operations_per_second | integer | Write operations per second: The total number of write operation per second across all physical storage available on the device. Details: Useful for understanding the intensity of write operations that the workflow requires when moving workloads between physical devices or to virtual machines. | Windows |
hard_resets
The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages.
hard_resets are punctual events.
hard_resets are associated to device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_hard_resets | integer | Number of hard resets: The number of hard resets. | |
time | datetime | Time: The date and time of the crash. |
system_crashes
The table collecting the system crashes of the devices.
system_crashes are punctual events.
system_crashes are associated to device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
error_code | long | Error code: The error code for system crashes. | Windows |
error_code_hexadecimal | string | Error code in hexadecimal: The hexadecimal error code for system crashes. | Windows |
label | string | Label: The error label for system crashes. | Windows |
number_of_system_crashes | integer | Number of system crashes: The number of system crashes. | |
time | datetime | Time: The date and time of the system crash. |
Namespace dex
Querying the DEX score table gives an overview of digital employee experience for all employees or a specific subset of employees. For example, you can query DEX scores for specific locations, devices with a specific operating system, and other parameters.
application_scores
application_score
application_scores are punctual events.
application_scores are associated to device, user, application
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
node.score_impact | float | Node score: The estimated decrease in technology score of a node of the application impact score structure. Use it with the field application_score.node.type to specify which node impact score you are targeting. | |
node.type | enumeration | Node type: The type of a node of the application score structure. Use it with the field application_score.node.value to specify which node you are targeting for the score computation. Details: The possible values are:
| |
node.value | float | Node score: The score of a node of the application score structure. Use it with the field application_score.node.type to specify which node score you are targeting. Details: It is computed based on the metric corresponding to the application_score.node.type specified in the query:
Refer to the DEX score documentation for more information. | |
time | datetime | Time: The time of the DEX application score event. |
scores
A table of the DEX score.
scores are punctual events.
scores are associated to device, user
Field | Type | Description | Supported platforms |
|---|---|---|---|
applications.value | float | Applications score: The Applications score is based on hard metrics around applications' performance and reliability.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.teams_audio_quality_impact_score | float | Teams (collaboration) - audio quality score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
collaboration.teams_audio_quality_value | float | Teams (collaboration) - audio quality score: The Teams audio quality score is based on the number of calls with poor audio quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Teams audio quality score based on the count of virtual meeting events with poor audio quality. For example, the field audio.quality is equal to POOR. The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.teams_impact_score | float | Teams (collaboration) score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
collaboration.teams_value | float | Teams (collaboration) score: The Teams score is based on hard metrics around the video and audio quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.teams_video_quality_impact_score | float | Teams (collaboration) - video quality score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
collaboration.teams_video_quality_value | float | Teams (collaboration) - video quality score: The Teams video quality score is based on the number of calls with poor video quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Teams video quality score based on the count of virtual meeting events with poor video quality. For example, the field video.quality is equal to POOR. The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.value | float | Collaboration score: The Collaboration score is based on hard metrics around collaboration applications such as Zoom or Teams.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is be between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.zoom_audio_quality_impact_score | float | Zoom (collaboration) - audio quality score: The Zoom audio quality score is based on the number of calls with poor audio quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Zoom audio quality score based on the count of virtual meeting events with poor audio quality. For example, field audio.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.zoom_audio_quality_value | float | Zoom (collaboration) - audio quality score: The Zoom audio quality score is based on the number of calls with poor audio quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Zoom audio quality score based on the count of virtual meeting events with poor audio quality. For example, field audio.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.zoom_impact_score | float | Zoom (collaboration) score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
collaboration.zoom_value | float | Zoom (collaboration) score: The Zoom score is based on hard metrics around video and audio quality.The score represents the level of digital experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
collaboration.zoom_video_quality_impact_score | float | Zoom (collaboration) - video quality score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
collaboration.zoom_video_quality_value | float | Zoom (collaboration) - video quality score: The Zoom video quality score is based on the number of calls with poor video quality.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Zoom video quality score based on the count of virtual meeting events with poor video quality. For example, field video.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
endpoint.CPU_interrupt_usage_impact_score | float | CPU interrupt usage score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | Windows |
endpoint.CPU_interrupt_usage_value | float | CPU interrupt usage score: The CPU interrupt usage score is based on the amount of CPU interrupts over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU interrupt usage score based on the value of the field cpu_interrupt_usage, which is highlighted when applications compete for shared hardware CPU resources.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | Windows |
endpoint.CPU_usage_impact_score | float | CPU usage score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.CPU_usage_value | float | CPU usage score: The CPU usage score is based on the amount of CPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU usage score based on the value of the field normalized_cpu_usage, which is the average percentage of the CPU usage across all logical cores.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.GPU_1_usage_impact_score | float | GPU 1 usage score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.GPU_1_usage_value | float | GPU 1 usage score: The GPU 1 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 1 usage score based on the value of the field gpu_1_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.GPU_2_usage_impact_score | float | GPU 2 usage score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.GPU_2_usage_value | float | GPU 2 usage score: The GPU 2 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 2 usage score based on the value of the field gpu_2_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.boot_speed_impact_score | float | Boot speed score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | Windows |
endpoint.boot_speed_value | float | Boot speed score: The boot speed score is based on the duration of boot events. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the boot speed score based on the value of the field boot.duration, which is the time between powering on a device and the display of the sign-in screen.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | Windows |
endpoint.device_performance_impact_score | float | Device performance score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.device_performance_value | float | Device performance score: The device performance score is based on hard metrics around CPU usage, GPU usage, memory usage, and system free space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.device_reliability_impact_score | float | Device reliability score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.device_reliability_value | float | Device reliability score: The Device reliability score is based on hard metrics regarding system crashes and hard resets.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: The value could be between 0 and 100 and corresponds to:
| |
endpoint.device_responsiveness_impact_score | float | Device responsiveness score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.device_responsiveness_value | float | Device responsiveness score: The Device responsiveness score is based on the delay between a user action (e.g., moving the mouse, pressing a key, etc.) and the OS acting upon it.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the amount of time per hour with noticeable input delay for the user (fields duration_with_high_user_input_delay, duration_with_medium_input_delay).The value could be between 0 and 100 and corresponds to:
| |
endpoint.disk_queue_length_impact_score | float | Disk queue length score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | Windows |
endpoint.disk_queue_length_value | float | Disk queue length score: The disk queue length score is based on the number of disk tasks waiting to be executed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the disk queue length score based on the value of the field disk_queue_length, which is the number of storage input and output tasks waiting to be executed on the system drive.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | Windows |
endpoint.hard_reset_impact_score | float | Hard reset score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.hard_reset_value | float | Hard reset score: The Device responsiveness score is based on the number of hard resets.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the field number_of_hard_resets, which captures abrupt stops of a device caused by pressing the reset button, power failures or crashes.The value could be between 0 and 100 and corresponds to:
| |
endpoint.logon_speed_impact_score | float | Logon speed impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | Windows |
endpoint.logon_speed_value | float | Logon speed score: The Logon speed score is based on the duration of logon events.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the value of the field time_until_desktop_is_visible, which is the number of seconds between the user logging on and the desktop being shown.The value could be between 0 and 100 and corresponds to:
| Windows |
endpoint.memory_swap_rate_impact_score | float | Memory swap rate score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.memory_swap_rate_value | float | Memory swap rate score: The memory swap rate score is based on the speed at which memory is written from RAM to the disk to free up memory. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap rate score based on the value of the field memory_swap_rate, which is the average speed at which memory is written to the swap file.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.memory_swap_size_impact_score | float | Memory swap size score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.memory_swap_size_value | float | Memory swap size score: The memory swap size score is based on the amount of space used by the operating system to move application data from RAM to the disk. A score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap size score based on the value of the field memory_swap_size, which is the average amount of disk space the operating system allocates to store the state of less frequently used applications from RAM to the disk.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.memory_usage_impact_score | float | Memory usage score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.memory_usage_value | float | Memory usage score: The memory usage score is based on the amount of RAM over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory usage score based on the value of the field free_memory divided by the value of the field installed_value, which measures the average percentage of free RAM.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.network_quality_impact_score | float | Network quality score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.network_quality_value | float | Network quality score: The network quality score is based on hard metrics around the Wi-Fi signal strength, download speed, and upload speed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.os_activation_impact_score | float | OS activation score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | Windows |
endpoint.os_activation_value | float | OS activation score: The OS activation score is based on the number of devices used by the users that do not have an activated OS.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the count of devices operated by the user with a non-activated operating system (i.e., field operating_system.is_activated is equal to False).The value could be between 0 and 100 and corresponds to:
| Windows |
endpoint.software_performance_impact_score | float | Software performance impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_performance_value | float | Software performance score: The Software performance score is based on hard metrics regarding software freezes occurring across the devices.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: The value could be between 0 and 100 and corresponds to:
| |
endpoint.software_performance_with_gui_impact_score | float | Software performance (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_performance_with_gui_value | float | Software performance (with GUI) score: The Software performance score is based on freezes of binaries with a Graphical User Interface.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the execution freezes (field number_of_freezes) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:
| |
endpoint.software_performance_without_gui_impact_score | float | Software performance (without GUI) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_performance_without_gui_value | float | Software performance (without GUI) score: The Software performance score is based on freezes of binaries without a Graphical User Interface.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the execution freezes (field number_of_freezes) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:
| |
endpoint.software_reliability_impact_score | float | Software reliability impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_reliability_value | float | Software reliability score: The Software reliability score is based on hard metrics regarding software crashes occurring across the device.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: The value could be between 0 and 100 and corresponds to:
| |
endpoint.software_reliability_with_gui_impact_score | float | Software reliability (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_reliability_with_gui_value | float | Software reliability (with GUI) score: The Software reliability score is based on crashes of binaries with a Graphical User Interface.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the execution crashes (field number_of_crashes) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:
| |
endpoint.software_reliability_without_gui_impact_score | float | Software reliability (without GUI) score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.software_reliability_without_gui_value | float | Software reliability (without GUI) score: The Software reliability score is based on crashes of binaries without a Graphical User Interface.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the execution crashes (field number_of_crashes) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:
| |
endpoint.system_crash_impact_score | float | System crash score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.system_crash_value | float | System crash score: The Device responsiveness score is based on the number of system crashes.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the field number_of_system_crashes, which captures crashes of a device such as Blue Screen of Death (BSOD) on Windows.The value could be between 0 and 100 and corresponds to:
| |
endpoint.system_free_space_impact_score | float | System free space score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.system_free_space_value | float | System free space score: The system free space score is based on the amount of free system disk space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the system free space score based on the value of the field system_drive_free_space, which is the amount of free space available on the system drive.The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.value | float | Endpoint score: The Endpoint score is based on hard metrics focused on device performance and reliability.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: The value could be between 0 and 100 and corresponds to:
| |
endpoint.virtual_session_lag_impact_score | float | Virtual session lag impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.virtual_session_lag_value | float | Virtual session lag score: The Virtual session lag score is based on the network latency for virtual sessions.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: It is computed based on the value of the field average_network_latency, which measures the lag for virtual sessions.The value could be between 0 and 100 and corresponds to:
| |
endpoint.wifi_download_speed_impact_score | float | WiFi download speed score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.wifi_download_speed_value | float | WiFi download speed score: The Wi-Fi download speed score is based on the receiving rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi download speed score based on the value of the field receive_rate, which is the transmission rate of the Wi-Fi adapter.
The system computes it once per day and it is based on data from the last 7 days. | |
endpoint.wifi_signal_strength_impact_score | float | WiFi signal strength score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.wifi_signal_strength_value | float | WiFi signal strength score: The Wi-Fi signal strength score is based on the signal quality of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi signal strength score based on the value of the field signal_strength, which is the Wi-Fi signal strength or Received Signal Strength Indicator (RSSI).The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. | |
endpoint.wifi_upload_speed_impact_score | float | WiFi upload speed score: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node. | |
endpoint.wifi_upload_speed_value | float | WiFi upload speed score: The Wi-Fi upload speed score is based on the transmission rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi upload speed score based on the value of the field transmission_rate, which is the transmission rate for the Wi-Fi adapter.
The system computes the value once per day and it is based on data from the last 7 days. | |
sentiment.value | integer | Sentiment score: The Sentiment score is based on survey data collected via a sentiment campaign.A score represents the level of satisfaction with IT. Details: The value could be between 0 and 100 and corresponds to:
| |
technology.value | float | Technology score: The Technology score is based on hard metrics for endpoints, applications, and collaboration solutions.A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location). Details: The value could be between 0 and 100 and corresponds to:
| |
time | datetime | Time: The time of the DEX metric. | |
value | float | DEX score: The Digital Employee Experience (DEX) score is based on hard metrics and soft metrics.The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
Refer to the DEX score documentation for more information. |
Namespace execution
The execution namespace consists of two tables: crashes and events. The crashes table contains instances of executables crashing. The execution events table stores information about the performance of executables in 15-minute or 24-hour time blocks.
crashes
The table collecting crashes of a running process.
crashes are punctual events.
crashes are associated to binary, device, user, application
Field | Type | Description | Supported platforms |
|---|---|---|---|
binary_path | string | Binary path: The path to the crashing binary. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
crash_on_start | bool | Crashed on start: Indicates if the binary crashed immediately after launch. Details: Yes if the process crashes within the first second. | |
number_of_crashes | integer | Number of crashes: The number of crashes of the same binary that happened within one minute. Details: Collector creates only one event if the same binary crashes multiple times within one minute. | |
time | datetime | Time: The date and time when the crash happened. |
events
The table collecting performance metrics and attributes specific to a process execution.
events are sampled events.
events are associated to user, binary, device, application
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
connection_establishment_time | duration | Connection establishment time: The average round trip time during TCP connection establishment. Requirements: TCP connections only Details: The average RTT for all established connections. The round trip time is measured between sending the SYN message and receiving the SYN-ACK message from the remote party during the TCP connection establishment (3-way handshake). | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
cpu_time | duration | CPU time: The sum of the CPU time of all the underlying processes during this bucket. Details: The CPU time can be much higher than the bucket duration as multiple processes can run in parallel on several CPU cores. | |
end_time | datetime | Bucket end: The end time of the bucket. | |
execution_duration | duration | Execution duration: The duration of the process in this bucket. Details: It represents the total time for which at least one instance of the process was running. | |
focus_time | duration | Focus time: The amount of time any window related to this execution was in focus. Details: A window is in 'focus' when it is selected to receive input from the user. Only one window has the focus at any point in time. The focus time of all windows related to this execution is summed up to a maximum that equals the bucket duration. | |
incoming_throughput | float | Incoming throughput: The average download speed in Mbit/sec. Requirements: TCP connections only | |
incoming_traffic | bytes | Incoming traffic: The amount of application traffic received. Requirements: TCP connections only | |
memory | bytes | Memory used: The average memory in bytes. Details: This metric is based on the memory used by all processes running the same binary during this bucket. When aggregating the data, the average is weighted with the execution duration. | |
number_of_established_connections | integer | Established connections: The number of connections that have been established in this bucket. | |
number_of_freezes | integer | Number of freezes: The number of execution freezes. Details: The sampling of unresponsive applications every 30 second might lead to missed execution freezes. | |
number_of_logical_processors | integer | Logical processors: The number of logical processors on the device. Details: Use this metric to calculate normalized CPU usage by dividing through the number of logical processors. | |
number_of_no_host_connections | integer | Failed connections - no host: The number of connections that failed because the device cannot reach the destination host. Requirements: TCP connections only Details: A connection fails with 'no host' when the destination host (remote party) does not acknowledge the TCP SYN message. For example, the remote party does not exist or a firewall blocks the connection request. | |
number_of_no_service_connections | integer | Failed connections - no service: The number of connections that failed because the device cannot reach the service on the destination host. Requirements: TCP connections only Details: A connection fails with 'no service' when the destination host (remote party) acknowledged the initial TCP SYN message by an RST message. For example, the remote party exists, but no service is bound to the request port. Note that a firewall protects most personal computers and discards RST messages to prevent effective port scanning. | |
number_of_page_faults | long | Page faults: The total number of page faults. Details: A page fault happens, when a process tries to access a part of the memory that has not yet been loaded into memory. Page faults degrade the performance of the execution and the system. | Windows |
number_of_rejected_connections | integer | Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: TCP connections only Details: The operating system of the device or a local firewall can reject an outgoing connection on the device. | |
number_of_stopped_processes | integer | Stopped processes: The total number of stopped processes. | |
outgoing_throughput | float | Outgoing throughput: The average upload speed in Mbit/sec. | |
outgoing_traffic | bytes | Outgoing traffic: The amount of application traffic sent. Details: This includes the traffic from all TCP and UDP connections. | |
primary_physical_adapter_type | enumeration | Network adapter type: The type of the primary physical network adapter at the time of this execution. Details: There are three types of physical network adapters: :
| |
start_time | datetime | Bucket start: The start time of the bucket. |
Namespace package
The package namespace includes information about software products in their distributable form: applications and updates. In addition to the packages and installed_packages tables, it includes two event tables: installations and uninstallations.
packages
A table of packages. A package is a group of files and executables that together constitute a software application.
Field | Type | Description | Supported platforms |
|---|---|---|---|
first_seen | datetime | First seen: It represents the date and time the package was first detected on the Nexthink platform. | Windows |
name | string | Package name: The name of the packages as it is listed in the operating system. Details: The Nexthink platform scans for new packages once per hour. Installation and uninstallation events align with the hourly scans. | Windows |
parent_name | string | Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages. | Windows |
platform | enumeration | Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:
| Windows |
publisher | string | Package publisher: The name of the company that publishes the software. | Windows |
type | enumeration | Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:
| Windows |
uid | uuid | Package UID: The numerical value that uniquely identifies a package on the Nexthink platform. | Windows |
version | string | Package version: The version of the package stored as a String. Details: The type is set as a string because the package version reported by the operating system is not always numerical. This contrasts with binary.version, which consistently follows the x.y.z.t format. | Windows |
installations
A table of package installation events.
installations are punctual events.
installations are associated to package, device, user
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
time | datetime | Installation time: The time of the installation event. |
uninstallations
A table of package uninstallation events.
uninstallations are punctual events.
uninstallations are associated to package, device, user
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
time | datetime | Uninstallation time: The time of the uninstallation event. |
installed_packages
A table of all installed packages on all devices.
installed_packages are associated to device, user, package,
Field | Type | Description | Supported platforms |
|---|---|---|---|
first_seen | datetime | First seen: It represents the date and time the package was first detected on the Nexthink platform. | Windows |
name | string | Package name: The name of the packages as it is listed in the operating system. Details: The Nexthink platform scans for new packages once per hour. Installation and uninstallation events align with the hourly scans. | Windows |
parent_name | string | Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages. | Windows |
platform | enumeration | Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:
| Windows |
publisher | string | Package publisher: The name of the company that publishes the software. | Windows |
type | enumeration | Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:
| Windows |
uid | uuid | Package UID: The numerical value that uniquely identifies a package on the Nexthink platform. | Windows |
version | string | Package version: The version of the package stored as a String. Details: The type is set as a string because the package version reported by the operating system is not always numerical. This contrasts with binary.version, which consistently follows the x.y.z.t format. | Windows |
Namespace remote_action
The remote action namespace consists of tables giving details about remote actions, including the configuration data and the remote action executions. Nexthink Remote Actions allows you to execute small scripts on employee devices. It provides several opportunities for the prevention and remediation of employee issues and for gathering additional information from endpoints running Nexthink Collector.
remote_actions
The table of defined remote actions.
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of the remote action. Details: User defined friendly name created through the remote action configuration page. | |
nql_id | string | NQL ID: The unique identifier of a remote action. Details: The NQL ID cannot be changed after the initial creation. | |
source | enumeration | Remote action source: It represents the platform that was used to create the remote action. Details: Possible values:
Note that cloud references Nexthink Infinity. |
executions
The table collecting the executed remote actions.
executions are punctual events.
executions are associated to device, remote_action
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
external_reference | string | External reference: An identifier of the external web application record in reference to which the remote action was executed. Details: The field could contain the values such as the ticket identifier of the ITSM ticket. | |
external_source | string | External source: Name of the external system, outside of Nexthink, from where the remote action was triggered. Details: External source contains the name of the external system which either used Nexthink product or directly the API to trigger the remote action. | |
inputs | string | Inputs: A list of the inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point it was triggered. | |
internal_source | string | Internal source: Displays the name of the feature from which the remote action was triggered. Possible values: Amplify, Workflow, Investigation, Device view, or blank for no value. | |
message_uuid | string | Message UUID: The unique identifier of the remote action execution. Details: The message UUID is used to identify a single remote action execution and is generated when a remote action is triggered. | |
number_of_executions | long | Number of executions: The number of times the remote execution attempted to run on the device. | |
outputs | string | Outputs: A list of outputs collected by the remote action execution. | |
purpose | enumeration | Purpose: The purpose of the remote action defined in the configuration. Details: The purpose is part of the remote action configuration and describes whether the remote action is collecting data, remediating an issue or performing both functions.
| |
request_id | string | Request ID: The unique identifier for the request that created this remote action execution. Details: The request ID is generated and linked to individual remote action executions when a remote action is triggered against one or multiple devices. | |
request_time | datetime | Request time: The date and time when the remote action execution was triggered. | |
status | enumeration | Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not.
| |
status_details | string | Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit codes from the remote action. | |
time | datetime | Time: The date and time the remote action execution was last updated. | |
trigger_method | enumeration | Trigger method: Displays the mode of trigger used to start the remote action execution. Details: Possible values:
|
executions_summary
The table collecting the trend of executed remote actions.
executions_summary are sampled events.
executions_summary are associated to remote_action
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
inputs | string | Inputs: A list of inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point that it was triggered. | |
number_of_executions | long | Number of executions: The number of times the remote execution attempted to run on the device. | |
purpose | enumeration | Purpose: The purpose of the remote action defined in the configuration. Details: The purpose is part of the remote action configuration and describes whether the remote action is collecting data, remediating an issue or performing both functions.
| |
status | enumeration | Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not.
| |
status_details | string | Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit code that came back from the remote action. | |
time | datetime | Time: The date and time when the remote action execution was last updated. | |
trigger_method | enumeration | Trigger method: The trigger used to start the remote action execution. Details: Possible values:
|
Namespace service
The service namespace is an inventory of critical system components and specialised applications that run in the background on user devices. It allows for efficient status and/or configuration tracking and optimisation to ensure system reliability and security.
Please note: This feature is exclusive to Nexthink Infinity.
services
A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction
Field | Type | Description | Supported platforms |
|---|---|---|---|
arguments | string | Arguments: Parameters used for launching the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in arguments might be replaced with ellipses to correlate the same services better. | Windows |
dependency_of | jsonArrayString | Dependency of: List of other services and drivers that depend on this service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. | Windows |
depends_on | jsonArrayString | Depends on: List of services and drivers that the given service depends on. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. | Windows |
description | string | Description: Purpose of the the service as stated by the developer. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence. | Windows |
display_name | string | Display name: User friendly name of the service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence. | Windows |
module_path | string | Module path: dll module loaded by the main executable. Requirements: Exclusive to Nexthink Infinity. | Windows |
name | string | Name: Short name of the Service used for identification. Requirements: Exclusive to Nexthink Infinity. | Windows |
path | string | Path: Location of the binary that is executed for the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in the path might be replaced with ellipses to correlate the same services better. | Windows |
uid | uuid | Service UID: It represents a numerical value that uniquely identifies a service on the Nexthink platform. | Windows |
changes
Timeline of events when an attribute of an existing service has changed on a device.
changes are punctual events.
changes are associated to service, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
field | enumeration | Field: Name of the attribute of the related service that has changed. Requirements: Exclusive to Nexthink Infinity. | Windows |
new_value | string | New value: New value of the field that has changed. Requirements: Exclusive to Nexthink Infinity. | Windows |
old_value | string | Old value: Previous value of the field that has changed. Requirements: Exclusive to Nexthink Infinity. | Windows |
time | datetime | Time: When the change of the value was detected. | Windows |
installations
Punctual event, indicating when an service was added or removed to a particular device.
installations are punctual events.
installations are associated to service, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
event_type | enumeration | Installation type: Indicates if the service was installed or uninstalled. (install, uninstall) Requirements: Exclusive to Nexthink Infinity | Windows |
time | datetime | Time: When the item was detected to be added or removed. | Windows |
installed_services
A table of all installed services on all devices.
installed_services are associated to device, service,
Field | Type | Description | Supported platforms |
|---|---|---|---|
first_seen | datetime | Service first seen: Service first seen on the given device. Requirements: Exclusive to Nexthink Infinity. | Windows |
last_updated | datetime | Service info last updated: When was the last change of the service captured on the given device. Requirements: Exclusive to Nexthink Infinity. | Windows |
logon_as | string | Service logs on as: Either one of the main 4 options (Local System, Local Service, Network Service, Per user) or an explicit user. Requirements: Exclusive to Nexthink Infinity. Details: The "per user" startup-type is specific to so called per-user services that are run on user login, for the specific user, in their own session. | Windows |
startup_type | enumeration | Service startup type: The startup type (Automatic, Manual, Disabled, or Delayed) defines how and when a Windows service initiates its operation. Requirements: Exclusive to Nexthink Infinity. Details: Automatically started services are launched after the device was booted, while Delayed ones usually wait 120s after the last Automatic service has been started. (Delay period is configurable.) Manual services are launched on-demand. | Windows |
Namespace session
The session namespace consists of several events tables related to a user session on a device. The session events table contains all sampled metrics in 15-minute and 24-hour buckets. The others are punctual events linked to a session.
connects
The table collecting connections linked to user sessions.
connects are punctual events.
connects are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_connects | integer | Number of connects: The number of session connects. | |
session_uid | string | Session UID: The session UID. | |
time | datetime | Time: The date and time of the connection. |
disconnects
The table collecting disconnections linked to user sessions.
disconnects are punctual events.
disconnects are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_disconnects | integer | Number of disconnects: The number of session disconnects. | |
session_uid | string | Session UID: The session UID. | |
time | datetime | Time: The date and time of the disconnect. |
events
The table collecting performance metrics and attributes specific to both local and remote sessions.
events are sampled events.
events are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
average_network_latency | duration | Average network latency: It indicates how long it took on average for remote access protocol packets to travel from the endpoint to the virtual desktop and back. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. | Windows |
average_rtt | duration | Average RTT: It indicates how long it took on average for the virtual desktop to respond to the user input. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate network connections. Otherwise, start investigating the performance of the virtual desktops. | Windows |
bucket_duration | duration | Bucket duration: It represents the timespan over which the metrics were measured and aggregated. | |
client_ip | ipAddress | Client IP address: The IP address of the device used to access the remote virtual desktop. Requirements: This value is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Note that some modern desktop virtualization solutions no longer support this value due to security and network routing restrictions. | Windows |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration_with_high_user_input_delay | duration | Duration with high user input delay: The amount of time the session took longer than 200 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022. | Windows |
duration_with_medium_user_input_delay | duration | Duration with medium user input delay: The amount of time the session took longer than 100 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022. | Windows |
end_time | datetime | Bucket end: It represents the date and time at which the data collection ended for the given timespan. | |
max_network_latency | duration | Maximum network latency: The maximum amount of time it took for the remote access protocol packets to travel from the endpoint to the virtual desktop and back. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. | Windows |
max_rtt | duration | Maximum RTT: The maximum amount of time it took for the virtual desktop to respond to a user input. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector to be installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate the network connections. Otherwise, start investigating the performance of the virtual desktops. | Windows |
protocol | enumeration | Protocol: The remote access protocol used to connect to the session. The possible values are:
| |
session_id | long | Session ID: A temporary identifier which is assigned to each user session on a Windows computer. On a macOS device, the session ID represents the program ID of the process that is hosting the session. Details: Typically, only one interactive user is present on a Windows device at any given time. On a virtual desktop, many users may be interacting with the device at the same time. Each user session will get a unique ID assigned when the user logs in. The ID stays with that session until the user logs off. After that, the session ID will be reused for the next user who logs in. Beware that the session ID cannot be used to uniquely identify sessions on the Nexthink platform. | |
session_uid | string | Session UID: The unique identifier of a session on the Nexthink platform. | |
start_time | datetime | Bucket start: The start time of the bucket. | |
user_interaction_time | duration | Interaction time: The time that the user was actively interacting with the session. Details: Collector gathers information when and how long the user was interacting with the computer with the help of a keyboard or a pointing devices. The sum of these interactive periods are reported as a duration. |
lifecycle_events
The table collecting all events linked to user sessions.
lifecycle_events are punctual events.
lifecycle_events are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_lifecycle_events | integer | Number of events: The number of session events. | |
session_uid | string | Session UID: The session UID | |
time | datetime | Time: The date and time of the lifecycle event. | |
type | enumeration | Lifecycle event type: The type of lifecycle event. Possible values are:
|
locks
The table collecting locks linked to the user sessions.
locks are punctual events.
locks are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_locks | integer | Number of locks: The number of session locks. | |
session_uid | string | Session UID: The session UID | |
time | datetime | Time: The date and time of the lock event. |
logins
The table collecting all session logins.
logins are punctual events.
logins are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_logins | integer | Number of logins: The number of logins. | |
session_uid | string | Session UID: The session UUID | |
time | datetime | Time: The date and time of the login. | |
time_until_desktop_is_ready | duration | Time until desktop ready: The number of seconds between the user login and the device is ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%. | Windows |
time_until_desktop_is_visible | duration | Time until desktop visible: The number of seconds between the last user login and the time the desktop appears. | Windows |
logouts
The table collecting all session logouts.
logouts are punctual events.
logouts are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_logouts | integer | Number of logouts: The number of logouts. | |
session_uid | string | Session UID: The session UUID | |
time | datetime | Time: The date and time of the logout. |
unlocks
The table collecting unlocks linked to user sessions.
unlocks are punctual events.
unlocks are associated to user, device
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
number_of_unlocks | integer | Number of unlocks: The number of session unlocks. | |
session_uid | string | Session UID: The session UID. | |
time | datetime | Time: The date and time of the unlock event. |
Namespace software_metering
The software metering namespace contains a table that stores software usage to optimize licenses across an organization. This data is collected for the software meters configured in the system.
meter_configurations
meter_configuration
Field | Type | Description | Supported platforms |
|---|---|---|---|
description | string | Description: The description of a software meter configuration. Details: User-defined through Software metering configuration interface. The description of the software meter can be changed after creation. | |
license_type | enumeration | License type: The type of licensing model for the configured software meter. It could be: User-based or Device-based. Details: User-defined through Software metering configuration interface.
| |
name | string | Name: The name of a software meter configuration. Details: User-defined through Software metering configuration interface. Software meter configurations are based on Application Objects The name of the software meter can be changed after creation and should not be used as a unique identifier. | |
nql_id | string | NQL ID: The unique identifier of a software meter configuration. Details: NQL ID cannot be changed after initial creation. |
events
event
events are punctual events.
events are associated to device, user, application, meter_configuration
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location_geo_ip.country | string | Country location: The country in which the device is located at the time of the event. | |
context.location_geo_ip.state | string | Country subdivision location: The state in which the device is located at the time of the event. | |
context.location_geo_ip.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
desktop_execution_duration | duration | Execution duration - Desktop: Execution duration of Desktop part. Requirements: The configured software meter should have a desktop part to be populated. | |
desktop_focus_time | duration | Focus time - Desktop: The amount of time when any window of the software's executables was in focus. Requirements:
| |
end_time | datetime | Bucket end: The end time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC. | |
start_time | datetime | Bucket start: The start time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC. | |
web_focus_time | duration | Focus time - Web: The amount of time when a browser tab is running the software and has the focus. Requirements:
How to enable web usage time metric Details: It is collected via the Nexthink browser plugin. | |
web_is_used | bool | Webpart usage indicator: It indicates if the user accessed the URLs of the software. It should be used in case Web usage time is disabled for web applications. Details: It is collected via the Nexthink Browser plugin. |
Namespace web
The web namespace contains tables that store events, errors, page views and transactions that occur in the business-critical services defined in the tables of the application namespace.
errors
The table collecting errors of defined business-critical services.
errors are sampled events.
errors are associated to binary, device, user, application, page
Field | Type | Description | Supported platforms |
|---|---|---|---|
adapter_type | enumeration | Adapter type: The type of adapter used when the error occurred. Possible values are:
| |
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
code | integer | Error code: The extended HTTP response status. This is a numerical field denoting the code associated with the error, for example, 404, 401, 601. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
end_time | datetime | Bucket end: The end time of the bucket. | |
label | string | Error label: The error message as reported by the browser. The web browser reports a wide range of error types that the Nexthink browser extension catches and reports to the Nexthink instance, for example, HTTP 404, net::ERR_TIMED_OUT. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
number_of_errors | integer | Number of errors: The number of web errors recorded within the time bucket. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. | |
start_time | datetime | Bucket start: The start time of the bucket. | |
url | string | URL: The navigation URL recorded when the error event happened. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. |
events
The table collecting events of defined business-critical services.
events are sampled events.
events are associated to binary, device, user, application, page
Field | Type | Description | Supported platforms |
|---|---|---|---|
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration | duration | Usage time: The time spent using the application or key page. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.. Details: The usage time includes both page load time and the time the employee is not interacting with the page at all, as long as the tab is focused. | |
end_time | datetime | Bucket end: The end time of the bucket. | |
start_time | datetime | Bucket start: The start time of the bucket. |
page_views
Table collecting page views of defined business-critical services.
page_views are sampled events.
page_views are associated to binary, device, user, application, page
Field | Type | Description | Supported platforms |
|---|---|---|---|
adapter_type | enumeration | Adapter type: The type of adapter used when the navigation occurred. Possible values are:
| |
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
detailed_page_load_time.connect | duration | Connect time: The time spent establishing TCP connection, including secure socket connection, if performed. The connect time metric provides insights into the latency and performance of the connection establishment process. That metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that this metric is not measured for every page view event or subsequent requests within a single browsing session. Once the TCP connection is established, subsequent requests can reuse the existing connection, which eliminates the need for the TCP handshake and reduces the overall latency. | |
detailed_page_load_time.dom_content_loading | duration | DOM loaded time: The time it took for a webpage to finish creating its visual structure, known as the render tree. It starts when the necessary styles for the page, known as the CSS Object Model, are ready. The 'DOMContentLoaded' event is triggered before the complete loading of external resources such as images, stylesheets, and scripts. This means that once this event is completed, critical functionality and interactivity become available to users, even if additional resources are still loading in the background. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The timing metric associated with the 'DOMContentLoaded' event includes two properties: 'domContentLoadedEventStart' and 'domContentLoadedEventEnd.' These properties represent the start and end times of the render tree creation process. Optimizing the 'DOMContentLoaded' event can significantly improve the perceived performance of a webpage. Techniques to enhance this metric include minimizing render-blocking resources, lazy loading non-critical resources, optimizing JavaScript execution, and implementing resource caching. | |
detailed_page_load_time.dom_processing | duration | DOM processing time: The time it takes for a webpage to finish building its structure and become fully interactive. This process is called constructing the Document Object Model (DOM).This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The complete state, represented by the 'domComplete' property, marks the point when the browser has fully constructed the DOM tree, including any dynamically generated or modified elements. It signifies the completion of the DOM processing phase. Optimizing DOM processing involves techniques like optimizing HTML structure, reducing DOM complexity, optimizing external resources, and improving JavaScript execution. Faster DOM processing leads to quicker rendering and interactivity, enhancing the overall user experience. | |
detailed_page_load_time.domain_lookup | duration | DNS lookup time: The time spent on DNS resolution, for example, the time between the browser starting to resolve the domain name and when the resolution is complete. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that the this metric is not measured for every request. It is typically measured once per browsing session or connection. | |
detailed_page_load_time.load_event | duration | Load event time: The time spent on the page load event. The load event is fired when all resources, including images, scripts, stylesheets, and subframes, have finished loading, and the webpage is fully rendered and ready for user interaction. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When you visit a webpage, the browser needs to download and process various resources like images, scripts, stylesheets, and other elements. The 'loadEventStart' property indicates the point when the browser begins loading these resources.The 'loadEventEnd' property, on the other hand, represents the moment when the webpage has finished loading all the necessary resources and is fully displayed on the screen, ready for you to use. If the load event takes a long time to complete, it could indicate issues such as slow server response, large resource sizes, excessive JavaScript execution, or inefficient resource loading strategies. | |
detailed_page_load_time.redirect | duration | Redirect time: The time spent on page redirections. If there are any redirects involved in the navigation, these properties indicate the start and end times of the redirect process. They measure the time taken to complete any HTTP redirects, which occur when a server responds to a request with a redirection status code. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Redirects could happen, for example, when a website has changed its URL or when certain content has been moved. | |
detailed_page_load_time.request | duration | Request time: The time it takes to wait for the first byte of the document response. This is the time between when the browser starts requesting the document from the server, and when the browser receives the first by of the response from the server. This metric is the only contributor to the 'backend time' metric. Backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries, or server overload. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
detailed_page_load_time.response | duration | Response time: The elapsed time between the first and last bytes of the response. It measures the efficiency of network communication and contributes to the 'network time' metric. Optimizing response time involves minimizing network latency, using data compression, implementing caching mechanisms, and reducing round trips. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
detailed_page_load_time.secure_connection | duration | TLS time: The time it takes to establish a secure socket connection (TLS handshake) between the browser and the webserver. This metric represents a part of the connection metric. Note that the this metric is not measured for every page view event or subsequent requests within a single browsing session. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
detailed_page_load_time.unload_event | duration | Unload event time: The time spent on the page unload event. An unload event is triggered when the user navigates away from the page or when the page is reloaded. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
domains_contacted | integer | Number of domains contacted: It indicates the number of unique domain names from which various resources (such as images, scripts, stylesheets, fonts, etc.) are being fetched. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: This metric indicates the level of domain diversity in terms of resource retrieval during the loading process of a web page. | |
end_time | datetime | Bucket end: The date and time of the bucket end. | |
experience_level | enumeration | Experience level: The user experience level of a navigation evaluated by the extension, based on the defined thresholds. Possible values are:
| |
is_soft_navigation | bool | Soft navigation: It indicates whether a navigation is a hard navigation or soft navigation. Soft navigations refer to navigations within a single-page application, where the browser does not load a new page, as opposed to hard navigations where a webpage is initially loaded. Note that soft navigations are not collected by default and should be enabled on a per-application basis. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
largest_resource_load_time | duration | Largest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: When a user's browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. | |
largest_resource_size | bytes | Size of the largest resource: The size of the largest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. | |
largest_resource_type | string | Type of the largest resource: The type of the largest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. | |
largest_resource_url | string | URL of the largest resource: It indicates the URL of the largest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. | |
longest_resource_load_time | duration | Longest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. | |
longest_resource_size | bytes | Size of the longest resource: The size of the longest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. | |
longest_resource_type | string | Type of the longest resource: The type of the longest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. | |
longest_resource_url | string | URL of the longest resource: It indicates the URL of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: Note that resource URLs are sanitised using the sanitisation rules described in the online documentation. | |
number_of_active_tabs | long | Number of active tabs: It indicates the number of open and active tabs of a browser. Users may experience web application slowness if this value is too large. This measurement is collected for every navigation and transaction event. Note that browsers offload or deactivate certain tabs over time to save memory. This metric presents the active tabs on a browser that are not offloaded or deactivated. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. | |
number_of_large_resources | integer | Number of large resources: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that are larger than 100KB, during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When a browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. | |
number_of_page_views | integer | Number of page views: The number of page views that took place within the time bucket. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. | |
number_of_resource_errors | integer | Number of resource errors: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that failed to load or encountered errors during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Resource errors can indicate that some files or assets are missing from the web application. This may result in broken links, missing images, or non-functional scripts. | |
number_of_resources | integer | Number of resources: It indicates the total number of resources (such as images, scripts, stylesheets, or other files) loaded during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The more resources a web page has, the longer it may take to load and render in the browser. By analyzing the number of resources, you can identify opportunities to optimize the performance of your web application. For example, you might consider minimizing or combining CSS and JavaScript files, compressing images, or using caching techniques to reduce the number of requests made to the server. | |
page_load_time.backend | duration | Backend time: The estimated time spent on the backend side during a navigation. The backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries or server overload. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation | |
page_load_time.client | duration | Client time: The time taken by the client-side application, running on the device, to respond. It represents the portion of the total page load time that is not spent on network and backend, for example 'Client time' is 'Total page load time' minus 'Backend time' and 'Network time'. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long client time can indicate issues such as slow rendering of page elements, excessive JavaScript processing, inefficient CSS styling or device/OS processing other tasks. | |
page_load_time.network | duration | Network time: The time it takes for a web request to travel over the network from client device to the server and for the server response to travel back. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long network time can indicate issues such as network congestion, poor server performance, or geographical distance between the server and the client. It is important to note that the network time can also be impacted by the size and complexity of the web page being loaded, as well as the geographical location of the server and the client device. | |
page_load_time.overall | duration | Page load time: It indicates the time taken by a page to load. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. | |
response_size | bytes | Response size: The size of the HTTP response. | |
start_time | datetime | Bucket start: The date and time of the bucket start. | |
url | string | URL: The navigation URL recorded when the page view event took place. |
transactions
The table collecting transactions of defined business-critical services.
transactions are sampled events.
transactions are associated to binary, device, user, application, transaction
Field | Type | Description | Supported platforms |
|---|---|---|---|
adapter_type | enumeration | Adapter type: The type of adapter used when the transaction occurred. Possible values are:
| |
bucket_duration | duration | Bucket duration: The duration of the bucket. | |
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration | duration | Transaction duration: The time it took for the transaction to complete. | |
end_time | datetime | Bucket end: The end time of the bucket. | |
experience_level | enumeration | Experience level: The user experience level of a transaction evaluated by the extension, based on the defined thresholds. Possible values are:
| |
number_of_transactions | integer | Number of transactions: The number of transactions that took place within the time bucket. | |
start_time | datetime | Bucket start: The start time of the bucket. | |
status | enumeration | Status: The transaction status. Possible values are:
|
Namespace workflow
The workflows namespace consists of tables giving details about workflows, including configuration data and executions of workflows. Workflows are a dynamic and logical collection of Nexthink and 3rd party actions combined to deliver a multi-faceted solution.
workflows
workflow
Field | Type | Description | Supported platforms |
|---|---|---|---|
name | string | Name: The name of the workflow. Details: User defined friendly name created through the workflow configuration page. | |
nql_id | string | Workflow NQL ID: The unique identifier of a workflow. Details: The NQL ID cannot be changed after the initial creation. |
executions
execution
executions are punctual events.
executions are associated to device, user, workflow
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
duration_seconds | duration | Execution Duration: The time taken for the workflow execution to complete. Details: The execution duration is a measure of the time between the workflow execution start and end states. | |
execution_id | uuid | Execution ID: The unique identifier of the workflow execution. Details: The execution ID is used to identify a single workflow execution and is generated when a workflow is started. | |
inputs | string | Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs provided for the workflow execution at the point it was triggered. | |
number_of_executions | long | Number of executions: The number of times this workflow execution attempted to run. | |
outcome | enumeration | Outcome: The resulting outcome of finishing a workflow Details: Possible values:
| |
outcome_details | string | Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow | |
request_id | uuid | Request ID: The unique identifier of the request that created this workflow execution. Details: The request ID is generated and linked to individual workflow executions when a workflow is triggered against one or multiple targets. | |
request_time | datetime | Request time: The date and time that the workflow execution was triggered. | |
status | enumeration | Status: The status of the execution. Possible values are:
| |
status_details | string | Status details: The latest message returned by the workflow execution. Details: The status details field is usually only populated when the workflow execution has encountered a problem. | |
time | datetime | Last updated: It represents the date and time the workflow execution was last updated. | |
trigger_method | enumeration | Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:
| |
workflow_version | integer | Workflow version: The version of the workflow used for this execution. Details: The workflow version field helps to identify which version of the workflow design is being followed for this specific workflow execution. |
executions_summary
execution_summary
executions_summary are sampled events.
executions_summary are associated to workflow
Field | Type | Description | Supported platforms |
|---|---|---|---|
context.location.country | string | Country: The country in which the device is located at the time of the event. | |
context.location.state | string | State: The state in which the device is located at the time of the event. | |
context.location.type | string | Type: The type of location indicates whether the device is onsite or remote at the time of the event. | |
context.organization.entity | string | Entity: The organizational entity of the event. | |
inputs | string | Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs are those were provided for the workflow execution by the user, via a schedule or from a call to the Nexthink Infinity API. These inputs are used by the workflow to influence both the outcomes of actions within the flow and the logical path which the workflow takes. | |
number_of_executions | long | Number of executions: The number of times this workflow execution attempted to run. | |
outcome | enumeration | Outcome: The resulting outcome of finishing a workflow Details: Possible values:
| |
outcome_details | string | Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow | |
status | enumeration | Status: The overall status of the workflow execution. Details: The status can be used to monitor whether a workflow execution has finished or not.
| |
time | datetime | Time: The date and time the workflow execution was last updated. | |
trigger_method | enumeration | Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:
|