Skip to main content
Skip table of contents

Custom trends NQL examples

Keeping track of execution crashes

Track the daily number of execution crashes.

Custom trend definition

CODE
devices
| include execution.crashes past 1d
| compute nb_crashes = number_of_crashes.sum()
| list nb_crashes , hardware.manufacturer

Custom trend data retrieval

You can use the above trend definition, to create the following dashboard:

Trend data dashboard example
  1. Compute the number of devices with crashes and the total number of devices.

    CODE
    custom_trend.#execution_crashes.snapshots during past 90d
    | summarize devices_with_crashes = device.countif(nb_crashes > 0), device_count = device.count()

  2. Observe daily changes of the total number of crashes over the last 90 days.

    CODE
    custom_trend.#execution_crashes.snapshots during past 90d
    | summarize number_of_crashes_ = nb_crashes.sum() by 1d

  3. Observe the total number of crashes per device platform. Include only devices with at least one crash.

    CODE
    custom_trend.#execution_crashes.snapshots during past 90d
    | where nb_crashes > 0
    | summarize number_of_crashes_ = nb_crashes.sum() by context.device_platform
    | sort number_of_crashes_ desc

  4. Observe the total number of crashes, and the number of devices with crashes per device hardware manufacturer.

    CODE
    custom_trend.#execution_crashes.snapshots during past 90d
    | where hardware_manufacturer != "VMWare"
    | where hardware_manufacturer != null
    | summarize number_of_crashes_ = nb_crashes.sum(), number_of_devices_ = device.count() by hardware_manufacturer
    | sort number_of_crashes_ desc
Monitoring Windows 11 migration

Track the ratio of devices with Windows 11 over time.

Custom trend definition

CODE
devices
| where operating_system.platform == windows
| list operating_system.name, hardware.type

Custom trend data retrieval

CODE
custom_trend.#windows_migration.snapshots during past 300d
| where hardware_type !in [virtual, null]
| summarize ratio_with_windows_11 = countif(operating_system_name == "*windows 11*")/count() by 1d
Monitoring boot duration

Track the average boot durations for each device, to monitor the effect of implementing leaner configurations.

Custom trend definition

CODE
devices during past 1d
| include device_performance.boots during past 1d
| compute boot_duration = duration.avg()
| list boot_duration, hardware.type

Custom trend data retrieval

CODE
custom_trend.#boot_duration.snapshots during past 90d
| where (context.device_platform == "Windows" and hardware_type == laptop)
| summarize boot_duration_avg = boot_duration.avg() by 1d
Monitoring devices with application crashes on startup (trends with Boolean values)

Track the daily number of devices that had at least one application crash on the application startup.

Note that Custom trends do not support metrics with the Boolean data types.

Custom trend definition

  • The following custom trend definition saves '1' for the true values and '0' for the false values.

CODE
devices during past 1d
| include execution.crashes during past 1d
| where crash_on_start == true
| compute crash_on_start_count = device.count()
| list crash_on_start_count
  • The following custom trend definition saves the numbers of application crashes on application startup per device. By using count() instead of device.count() the system saves the numbers of application crashes, allowing for more detailed statistics upon data retrieval.

CODE
devices during past 1d
| include execution.crashes during past 1d
| where crash_on_start == true
| compute crash_on_start_count = count()
| list crash_on_start_count

Custom trend data retrieval

CODE
custom_trend.#crashes_on_start.snapshots during past 300d
| where crash_on_start_count > 0
| summarize devices_with_app_crashes_at_start = count() by 1d
Monitoring the devices with Intune certification installed (trends with the Boolean values from the remote actions)

Track daily numbers of devices with the Intune certification installed based on data obtained using remote action which returns the Boolean values.

Note that Custom trends do not support metrics with the Boolean data types.

The following trend allows to monitor the returned value without directly storing the Boolean values. It is important to include the remote action status (last_status) in the custom trend NQL definition to distinguish successful remote action outputs equal '0' (or false) from the unsuccessful executions with no data obtained.

Custom trend definition

CODE
devices
| include remote_action.get_intune_device_status.executions during past 1d
| where outputs.onboarding_certificate_installed == True
| compute one_if_RA_successful_and_certificate_installed_zero_otherwise = device.count(), last_status = status.last()
| list one_if_RA_successful_and_certificate_installed_zero_otherwise, last_status

Custom trend data retrieval

CODE
custom_trend.#custom_trend_with__ra_bool.snapshots during past 300d
| summarize n_devices_with_certificate = countif(last_status = success and one_if_RA_successful_and_certificate_installed_zero_otherwise = 1),
n_devices_without_certificate = countif(last_status = success and one_if_RA_successful_and_certificate_installed_zero_otherwise = 0),
n_devices_without_informatiion = countif(last_status != success) by 1d
Monitoring CPU usage of different binary versions

Track the average CPU usage of application broken down by its versions.

Custom trend definition

CODE
devices
| include execution.events during past 1d
| where binary.name == "zoom.exe"
| compute CPU_usage_ratio = ((cpu_time.sum()) * (100)) / ((execution_duration.sum()) * (number_of_logical_processors.max())), last_version = binary.version.last()
| list CPU_usage_ratio, last_version

Custom trend data retrieval

CODE
custom_trend.#zoom_cpu_usage_ratio.snapshots during past 300d
| summarize c1 = CPU_usage_ratio.avg() by 1d, last_version

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.