Custom trends NQL examples

Keeping track of execution crashes

Track the daily number of execution crashes.

Custom trend definition

devices
| include execution.crashes past 1d
| compute nb_crashes = number_of_crashes.sum()
| list nb_crashes , hardware.manufacturer

Custom trend data retrieval

You can use the above trend definition, to create the following dashboard:

1. Compute the number of devices with crashes and the total number of devices.

   Copy

   custom_trend.#execution_crashes.snapshots during past 90d
   | summarize devices_with_crashes = device.countif(nb_crashes > 0), device_count = device.count()

2. Observe daily changes of the total number of crashes over the last 90 days.

   Copy

   custom_trend.#execution_crashes.snapshots during past 90d
   | summarize number_of_crashes_ = nb_crashes.sum() by 1d

3. Observe the total number of crashes per device platform. Include only devices with at least one crash.

   Copy

   custom_trend.#execution_crashes.snapshots during past 90d
   | where nb_crashes > 0
   | summarize number_of_crashes_ = nb_crashes.sum() by context.device_platform
   | sort number_of_crashes_ desc

4. Observe the total number of crashes, and the number of devices with crashes per device hardware manufacturer.

   Copy

   custom_trend.#execution_crashes.snapshots during past 90d
   | where hardware_manufacturer != "VMWare"
   | where hardware_manufacturer != null
   | summarize number_of_crashes_ = nb_crashes.sum(), number_of_devices_ = device.count() by hardware_manufacturer
   | sort number_of_crashes_ desc

Monitoring Windows 11 migration

Track the ratio of devices with Windows 11 over time.

Custom trend definition

devices
| where operating_system.platform == windows
| list operating_system.name, hardware.type

Custom trend data retrieval

custom_trend.#windows_migration.snapshots during past 300d
| where hardware_type !in [virtual, null]
| summarize ratio_with_windows_11 = countif(operating_system_name == "*windows 11*")/count() by 1d

Monitoring boot duration

Track the average boot durations for each device, to monitor the effect of implementing leaner configurations.

Custom trend definition

devices during past 1d
| include device_performance.boots during past 1d
| compute boot_duration = duration.avg()
| list boot_duration, hardware.type

Custom trend data retrieval

custom_trend.#boot_duration.snapshots during past 90d
| where (context.device_platform == "Windows" and hardware_type == laptop)
| summarize boot_duration_avg = boot_duration.avg() by 1d

Monitoring devices with application crashes on startup

Track the daily number of devices that had at least one application crash on the application startup.

Custom trend definition

devices during past 1d
| include execution.crashes during past 1d
| where crash_on_start == true
| compute crash_on_start_count = count()
| list crash_on_start_count

Custom trend data retrieval

custom_trend.#crashes_on_start.snapshots during past 300d
| where crash_on_start_count > 0
| summarize devices_with_app_crashes_at_start = count() by 1d

Monitoring CPU usage of different binary versions

Track the average CPU usage of application broken down by its versions.

Custom trend definition

devices
| include execution.events during past 1d
| where binary.name == "zoom.exe"
| compute CPU_usage_ratio = ((cpu_time.sum()) * (100)) / ((execution_duration.sum()) * (number_of_logical_processors.max())), last_version = binary.version.last()
| list CPU_usage_ratio, last_version

Custom trend data retrieval

custom_trend.#zoom_cpu_usage_ratio.snapshots during past 300d
| summarize c1 = CPU_usage_ratio.avg() by 1d, last_version