Skip to main content
Skip table of contents

NQL editor

The NQL editor is the feature offering a web-based user interface allowing you to write and execute investigations using the Nexthink Query Language (NQL).

The embedded syntax editor allows for adjusting of existing queries or creating new ones from scratch. The results help you to investigate issues and problems faced by the employees of your organization.

NQL editor page

Accessing the NQL editor

  • Select Investigations from the main menu.

  • Click on an existing investigation in the navigation panel or on a New button to start building your NQL query. The Visual editor tab opens by default.

  • Switch to the NQL editor tab and start writing your NQL query.

Using the investigation result table for insights

Hover over a specific cell value in the investigation results table, to open the action menu and access different options depending on the field:

  • Drill down to … opens an Investigation page with the NQL query listing the results specific to the row of the selected cell value under the field column of interest. See the image below.

    • The Drill down to... option is available for field metric values.

  • Copy value or Copy raw value. Remember, the system shortens large numbers with appropriate suffixes. Hover over a metric to see the raw number.

  • Only for inventory objects such as users, devices and binaries; the contextual action menu allows you to:

    • Open binary profiling, Open user overview or Open Device View, depending on the case.

    • Diagnose for diagnostics dashboards.

    • Retrieve all pre-filled investigation queries in the inventory-object context.

Action bar

Additionally, when you select entire rows by ticking the checkboxes on the left of the table, the system displays an action bar at the bottom of the Nexthink web interface.

The action bar includes the action menu options listed above, plus the possibility to Execute action or Edit.

Drilling down investigation result table.

Saving an investigation

Click on the Save as button in the top-right corner of the Investigations page to save an investigation.

Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.

If you are editing an existing investigation, you can:

  • Click Save to save the changes.

  • Click Save as to save the investigation under a different name.

Save as button

Sharing and exporting an investigation

Click on the action menu in the top-right corner of the Investigations page to:

  • Share an investigation with groups of users based on their user role, and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation. Refer to the Sharing an investigation section of the Manage Investigations documentation for more information.

  • Copy link to an investigation and share it with other Nexthink users. Copy link shares the query text in the URL and is always treated as a new investigation for the user you send the link to.

  • Export results of the data returned by the investigation in a CSV file.

    • By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.

    • Ticking the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. See the table below for more details.

Exporting investigations results: Formatted data versus Raw data

This table displays the differences between exporting Raw data and Formatted data for most data types.

Data type

Example of Raw data

Example of Formatted data

bool/bool

0

1

No

Yes

bytes/bytes

5109928912799

4.65 TB

jsontype[]/device/antivirus

JSON
[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]

Cortex XDR™ Advanced Endpoint Protection;
Microsoft Defender Antivirus

jsontype[]/device/cpu

CODE
[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]

Apple M1 Pro

jsontype[]/device/disk

CODE
[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]

APPLE SSD AP1024R

jsontype[]/device/firewall

CODE
[{"name":"Windows Firewall","realTimeProtection":2}]

Windows Firewall

jsontype[]/device/gpu

CODE
[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]

NVIDIA Quadro P520;
Intel UHD Graphics

jsontype[]/device/local_admin

CODE
[{"name":"Nexthink@NXT-HDKTYD3","type":1},{"name":"localadmin@NXT-HDKTYD3","type":1}]

Nexthink@NXT-HDKTYD3;
localadmin@NXT-HDKTYD3

jsontype[]/device/monitor

CODE
[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]

DELL;
Wide viewing angle & High density FlexView Display 1920x1080

jsontype[]/device/volume

CODE
[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]

disk0s1;
disk0s2;
disk0s3

numeric/duration

900

15min

numeric/float

4997.0634765625

5k

numeric/long

4111

4111

numeric/integer

3462

3.46k

numeric/numeric

65287

65287

string/bytes

xdt7cS8oDDrk9zGtfV6hcQ==

xdt7cS8oDDrk9zGtfV6hcQ==

string/datetime

2024-02-23 17:45:00

23/02/2024 17:45:00

string/ipAddress

192.168.1.23

192.168.1.23

string/ipAddressArray

::ffff:62.2.17.60,::ffff:62.2.24.162

::ffff:62.2.17.60::ffff:62.2.24.162

string/jsonArrayString

CODE
["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]

Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc

string/string

NXT-FVFWW2RZHV2H

NXT-FVFWW2RZHV2H

string/uuid

a8572a66-e312-4bda-9515-9b9666555aa4

a8572a66-e312-4bda-9515-9b9666555aa4

string/version

[10,0,22000,653]

10.0.22000.653

Rename or Delete an existing investigation using the same action menu from the Investigations page.

Using the investigation action bar

The Investigate option in the action bar provides multiple opportunities to narrow down your search by getting items relevant to the investigation results. Investigate works within the context of the query, enforcing the time frame and the conditions of the original investigation. The action bar automatically appears at the bottom of the screen after a query is executed.

Follow these steps to Investigate:

  1. Write an NQL query and press the Run button to show the results of the query.

    • Running NQL queries to investigate connection.events enables the Network tab. Refer to the Network view documentation to learn how to troubleshoot network-related issues using the network view visualization.

  2. Select the items that you wish to investigate by selecting the corresponding checkboxes. Once the first item is selected the action bar indicates the number of entries chosen along with the Investigate button.

  3. Click on the Investigate button.

  4. Select the type of investigation you wish to perform from the pop-up menu.

Investigate option in the action bar

Applying privacy policy to investigations

There are four levels of data privacy defined in the account role that specify access rights and are relevant to data visibility in the Investigations dashboard.

  • anonymous users, devices, destinations and domains: user accounts with this role cannot view the names of users, devices, destinations or domains.

  • anonymous users and devices: user accounts with this role cannot view the names of users or devices.

  • anonymous users: user accounts with this role cannot see the names of users.

  • none (full access): user accounts with this role have full access to the collected data.

Refer to the Roles documentation for more information about the privacy settings.

When a certain anonymization level is applied to the account role, it will affect how information in the Investigations dashboard is displayed, for example, the system displays Username and Email address columns as hidden.

Investigation results with hidden usernames


RELATED TOPIC

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.