Expanding investigations time frame with Finder (classic)

Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.

Because of the large number of events that a Nexthink instance stores, investigations that iterate through activities or events may have a high computational cost.

An investigation iterates through activities or events due to one of the following reasons:

  • The investigation retrieves activities or events. For example, an investigation that lists all the executions that ran on a particular device during the last hour.

  • The investigation retrieves objects, but it does so under one or several of the following circumstances:

    • A condition on activities or events. For example, an investigation that lists the devices where a package was removed (uninstallation events) during the last day.

    • The computation of at least one aggregate depends on activities or events and is not pre-calculated for the full period available in the data storage layers. For example, an investigation that lists the devices with outgoing network traffic bigger than 10 MB during the last hour.

    • A forced time frame restriction. For example, an investigation that lists the users with a time frame of last 1 day returns only the users that were active that last day.

These investigations do not admit the Full available period time frame because they could take too long to execute completely. In fact, to avoid long and costly computations, the time frame of activity-related investigations is limited to a maximum of 7 days by default.

To circumvent the 7-day limit for investigations in Finder, you need to manipulate the Windows registry. After removing the limit, Finder allows you to query with investigations whose time frames span up to the maximum number of days available in the Nexthink instance. Be aware, however, that investigations with very long time frames may require more computation power, rendering the data processing layer less responsive and potentially impacting other users of Finder. Consequently, you should handle this feature with care:

  1. In the computer where Finder is installed, press Win(key)+R to display the run dialog.

  2. Type in regedit as the program to open in the dialog and press Enter. The Registry Editor opens.

  3. Browse the Windows registry in the Registry Editor and select the key HKEY_CURRENT_USER\Software\Nexthink.

    • If the key does not exist, create it by right-clicking the Software folder:

      1. Select New -> Key from the context menu.

      2. Type in 'Nexthink as the name of the new key.

      3. Right-click the area on the right-hand side of the Registry Editor that holds the list of values for the key.

      4. Select New -> DWORD (32-bit) Value from the context menu.

      5. Type in Remove7DayLimit as the name of the value.

  4. Right-click the value with the name Remove7DayLimit to change its data.

  5. Select Modify... in the context menu. The dialog to edit the value shows up.

  6. Set the value of the field Value data to 1 in the dialog.

  7. Click OK.

This method changes the value of the registry key in one computer only. Alternatively, you can use GPO to impose the same value for the registry key in all the computers where Finder is installed.

Last updated