Skip to main content
Skip table of contents

Investigations NQL examples

This list of query examples is designed to help you perform successful investigations in the Nexthink web interface. Go through the investigations listed below and pick the one most similar to the investigation you’re trying to complete. Copy the query and adjust it to your use case.

Query device tables

Get total incoming traffic for outlook.exe in the past 7d for all devices.
CODE 
devices
| include execution.events during past 7d
| where binary.name == "outlook.exe"
| compute total_incoming_traffic = incoming_traffic.sum()
| list device.name, device.entity, total_incoming_traffic
Find out if there have been frequent system crashes in the past hour, for example, if >2% devices had a crash in last 24h.
CODE 
devices during past 24h
| include device_performance.system_crashes
| compute system_crash_count= number_of_system_crashes.sum(), crashing_devices= device.count()
| summarize ratio_of_devices_crashing= crashing_devices.sum() * 100 / count() , total_system_crashes= system_crash_count.sum()
List all devices that need a memory upgrade.
CODE 
devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| list device.name, device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, device.hardware.memory, used_memory_, used_memory_percentage
Count the number of devices that need a memory upgrade and do a breakdown of devices by hardware manufacturer.
CODE 
devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| summarize c1 = count() by hardware.manufacturer
List devices with low disk space.
CODE 
devices
| with device_performance.events during past 124h
| compute free_space_on_system_drive = system_drive_free_space.avg()
| where free_space_on_system_drive < 2000MB
Retrieve devices. List all devices with the Nexthink Collector package installed.
CODE 
devices
| with package.installed_packages
| where package.name == "Nexthink Collector"
Retrieve devices. List all devices without the Nexthink Collector package installed.
CODE 
devices
| include package.installed_packages
| where package.name == "Nexthink Collector"
| compute number_of_package_installed = count()
| where number_of_package_installed == 0

Query other tables

Retrieve installation events. List all uninstallation of a specific package across all devices.
CODE 
package.uninstallations
| where package.name == "Nexthink Collector"
| list time, device.name, package.name, package.version
Retrieve  packages. List all packages starting with the ones installed on most devices.
CODE 
package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| sort number_of_packages_installed desc
Retrieve packages. List all packages starting with the ones installed on fewest devices.
CODE 
package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| sort number_of_packages_installed asc
Retrieve packages. List packages installed on fewer than 5 devices but installed on at least one device.
CODE 
package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| where number_of_packages_installed > 0 and number_of_packages_installed < 5
List the number of system crashes grouped by error label for the crash.
CODE 
device_performance.system_crashes during past 7d
| summarize number_of_crashes = number_of_system_crashes.sum() by label
| sort number_of_crashes desc
Count the number of active devices over time, i.e. during past 7 days.
CODE 
device_performance.events during past 7d
| summarize nb_devices = device.count() by 1d
| sort start_time asc
Get the history (14d) of number of devices with low disk space.
CODE 
device_performance.events during past 14d
| where system_drive_free_space.avg <= 1000MB
| summarize devices_with_low_disk_space = device.count() by 1d
Get crashes statistics per binary.
CODE 
execution.crashes during past 7d
| summarize crashes = count(), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by binary.name, binary.product_name, binary.platform
| sort devices_with_crashes desc
Get crashes statistics for selected binary on the timeline.
CODE 
execution.crashes during past 7d
|where binary.name = "zscaler"
| summarize crashes = count(), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by 1d
Compute the average usage time of an application per user per day by departments.
CODE 
web.events during past 7d
| where application.name == "Salesforce Lightning"
| summarize average_department_usage_time_per_user = duration.sum()/ user.name.count() by ad.department
| sort average_department_usage_time_per_user desc
Count campaign responses by campaign and by state to understand campaign progress.
CODE 
campaign.responses
| where campaign.name != null
| summarize number_of_responses = count() by campaign.name, state, state_details
| sort campaign.name asc
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close