Skip to main content
Skip table of contents

Visual editor

Use the Visual editor to create powerful and flexible investigations without the need to write and master the NQL syntax from the NQL data model.

The Visual editor is a graphical NQL tool that allows you to:

  • Use a table to list and visualize a collection of objects such as users, devices, binaries or events.

  • Add additional columns with various properties and metrics.

  • Fine-tune the results using conditions and filters based on properties and metric values.

  • Switch between the Visual editor and NQL editor, or use both modes to build queries.

Accessing the Visual editor

  1. Select Investigations from the main menu to create or edit an existing investigation.

  2. Under the Visual editor, use the Display drop-down menu to select any other data collection:

    • Inventory objects such as users, devices and binaries.

    • Events such as execution crashes and device performance.

  3. After choosing an option from the Display drop-down, a set of default columns appears in the results table.

    • See the Adding fields and conditions section on this page to modify the columns in the Investigation results table.

    • The Visual editor on the Investigations page displays Devices by default.

Display drop-down menu

Selecting connection events for Network view

Choosing Connection events from the Display drop-down of the Visual editor on the Investigations page enables the Network tab with a Network view visualization.

Refer to the Network view documentation to learn how to identify and troubleshoot network-related issues.

Adjusting the timeframe

From the Visual editor on the Investigations page, select a timeframe from the active during drop-down.

The timeframe is set to Past 7 days by default.

Unlike in the NQL editor, the timeframe selection is mandatory to query objects and events in the Visual editor.

Timeframe

Timeframe for events

The system limits the results to events within the selected time period.

Timeframe for objects

The system limits the results to the active inventory within the selected timeframe. This means the system outputs objects detected during the selected timeframe.

The selected timeframe automatically applies across metric columns computed for a given object.

The source collection and computed metric have the same timeframe.

The following is an example of the NQL syntax used by the Visual editor:

CODE
devices during past 7d 
| include execution.crashes during past 7d 
| compute number_of_crashes__0 = crash.number_of_crashes.sum()

Using the investigation result table for insights

Hover over a specific cell value in the investigation results table, to open the action menu and access different options depending on the field:

  • Drill down to … opens an Investigation page with the NQL query listing the results specific to the row of the selected cell value under the field column of interest. See the image below.

    • The Drill down to... option is available for field metric values.

  • Copy value or Copy raw value. Remember, the system shortens large numbers with appropriate suffixes. Hover over a metric to see the raw number.

  • Only for inventory objects such as users, devices and binaries; the contextual action menu allows you to:

    • Open binary profiling, Open user overview or Open Device View, depending on the case.

    • Diagnose for diagnostics dashboards.

    • Retrieve all pre-filled investigation queries in the inventory-object context.

Action bar

Additionally, when you select entire rows by ticking the checkboxes on the left of the table, the system displays an action bar at the bottom of the Nexthink web interface.

The action bar includes the action menu options listed above, plus the possibility to Execute action or Edit.

Drilling down investigation result table.

Adding fields to an investigation

To change the displayed columns in the investigation results from the Investigations page > Visual editor:

  1. Click the Add field button in the Fields right-side panel on the Investigations page to open the Add field pop-up.

  2. Search for or choose field metrics and properties available from the source collections and associated collections.

    • The system organizes available metrics into categories.

    • The system displays selected fields under Current fields. If needed, remove any field.

  3. Depending on the selected field, the system opens a pop-up to Add condition. See the Adding conditions to a field section for more information.

  4. Click done to add all selected fields and subsequently, change the displayed columns in the Investigation results table. See the image below.

The system uses the default aggregation after you add a field column. The Visual editor does not currently support changing the default aggregation. See the Summarizing investigation results section on this page.

Switch to the NQL editor to check the active aggregation method. For example, the sum aggregation function applied to the selected metric for the number_of_crashes:

CODE
devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
| list device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, number_of_crashes__0
Adding a field modal

Adding conditions to a metric field

The following steps show an example of adding condition values to the Incoming traffic field for different binaries:

  1. Click the Add field button in the Fields right-side panel on the Investigations page > Visual editor to open the Add field pop-up.

    • Alternatively, you can right-click an existing field to Edit.

  2. In this example, you create two separate columns to display incoming traffic from the skype and Zoom binaries. Therefore, you must repeat these steps for each binary:

    • Select the Incoming traffic field to add conditions on the skype or Zoom binary.

    • Add condition(s) to restrict the metric value of the Incoming traffic.

    • Save the condition-specific field under a unique Column name.

See the image below for a visual representation.

Field conditions considerations

  • Adding multiple conditions automatically adds the and logical operator between them.

  • Adding multiple metric values or properties to the same condition automatically adds the or logical operator.

  • The autocomplete feature suggests existing property values. If needed, use wildcards:

    • * to substitute for zero or more characters

    • ? to substitute for zero or one character

1713964772-1713961612.png

Filtering investigation results

To filter investigation results, you have the following options:

  • Add filter button from the Visual editor on the Investigations page.

  • Add filter… from the action menu of a selected item to apply its value or property as a filter to the entire field column.

  • Add filter… from the action menu of a column header or a specific field in the right-side panel to set filter values to the entire field column.

The system lists added filters next to the Add filter button on the Investigations page. Right-click on an added filter to Edit or Remove the filter.

The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or operators and nested and combinations. Switch back to the NQL editor to edit advanced filters.

Example of adding filters from the Add filter button

The example below describes the steps for adding a TCP filter to a Connection events investigation result:

  1. Click the Add filter button from the Visual editor on the Investigations page to open the Add filter pop-up.

  2. Select Connection events from the first drop-down.

  3. Select or search Transport protocol from the second drop-down.

  4. Select the is operation and add TCP as the item.

    • Optionally, add multiple conditions.

  5. Click done to save the filter.

Add filter button in the visual editor.

Example of adding filters from an investigation item

The example below describes the steps for adding a is '1' filter to the Total number of connections field directly from an investigation result item.

  1. Right-click on the desired item metric value from the results table to open the action menu. In this example, the value of 1 under the Total number of connections field column.

  2. From the Add filter… action menu of a selected item, click the is '1' and filter the entire field column to show that item value.

Adding filters from an investigation item.

Example of adding filters from field columns

The example below describes the steps for setting a filter value on the Total number of connections field directly from the Investigations field header.

From the Investigations page > Visual editor:

  1. Right-click on the field column header from the results table to open the action menu. In this example, the Total number of connections field column from the Connection events investigation result.

  2. Click the Add filter… option from the column header action menu to open the Set filter pop-up. Choose the condition operator and one or multiple values for the conditions. In this case, Is greater than '2'.

Summarizing investigation results

The summarize mode in the Visual editor allows you to aggregate and break down investigation metrics and properties into groups and time periods.

To activate the summarize mode from the Investigations page > Visual editor, choose one of these options:

  • Enable the Summarize results toggle button in the Fields right-side panel.

  • Right-click the field column header from the Investigations results table to open the action menu and select the Summarize option.

Exit summarize mode by disabling the Summarize results toggle button.

Adding fields when in summarize mode

When adding fields in summarize mode from the Investigations page > Visual editor, consider the following:

  • The system adds properties of supported data types (string, UID, Boolean, enumeration, version) to the results list as a group by field.

  • The system adds metrics to the results list and aggregates the data by default.

Adding filters when in summarize mode

When adding filters in summarize mode from the Investigations page > Visual editor, consider the following:

  • Filters on properties used in the group by are reflected in the results.

  • Filters on metric numerical values still affect the Investigations results table after disabling the Summarize results toggle button.

Overall, the system aggregates metric numerical values, but clusters properties using the group by clause for supported data types (string, UID, Boolean, enumeration, version).

Saving an investigation

Click on the Save as button in the top-right corner of the Investigations page to save an investigation.

Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.

If you are editing an existing investigation, you can:

  • Click Save to save the changes.

  • Click Save as to save the investigation under a different name.

Investigations page action menu

Sharing and exporting an investigation

Click on the action menu in the top-right corner of the Investigations page to:

  • Share an investigation with groups of users based on their user profile, and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation. Refer to the Sharing an investigation section of the Manage Investigations documentation for more information.

  • Copy link to an investigation and share it with other Nexthink users. Copy link shares the query text in the URL and is always treated as a new investigation for the user you send the link to.

  • Export results of the data returned by the investigation in a CSV file.

    • By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.

    • Ticking the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. Open the table below for more details.

Table: Formatted data versus Raw data

This table displays the differences between exporting Raw data and Formatted data for most data types.

Data type

Example of Raw data

Example of Formatted data

bool/bool

0

1

No

Yes

bytes/bytes

5109928912799

4.65 TB

jsontype[]/device/antivirus

JSON
[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]

Cortex XDR™ Advanced Endpoint Protection;
Microsoft Defender Antivirus

jsontype[]/device/cpu

CODE
[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]

Apple M1 Pro

jsontype[]/device/disk

CODE
[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]

APPLE SSD AP1024R

jsontype[]/device/firewall

CODE
[{"name":"Windows Firewall","realTimeProtection":2}]

Windows Firewall

jsontype[]/device/gpu

CODE
[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]

NVIDIA Quadro P520;
Intel UHD Graphics

jsontype[]/device/local_admin

CODE
[{"name":"Nexthink@NXT-HDKTYD3","type":1},{"name":"localadmin@NXT-HDKTYD3","type":1}]

Nexthink@NXT-HDKTYD3;
localadmin@NXT-HDKTYD3

jsontype[]/device/monitor

CODE
[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]

DELL;
Wide viewing angle & High density FlexView Display 1920x1080

jsontype[]/device/volume

CODE
[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]

disk0s1;
disk0s2;
disk0s3

numeric/duration

900

15min

numeric/float

4997.0634765625

5k

numeric/long

4111

4111

numeric/integer

3462

3.46k

numeric/numeric

65287

65287

string/bytes

xdt7cS8oDDrk9zGtfV6hcQ==

xdt7cS8oDDrk9zGtfV6hcQ==

string/datetime

2024-02-23 17:45:00

23/02/2024 17:45:00

string/ipAddress

192.168.1.23

192.168.1.23

string/ipAddressArray

::ffff:62.2.17.60,::ffff:62.2.24.162

::ffff:62.2.17.60::ffff:62.2.24.162

string/jsonArrayString

CODE
["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]

Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc

string/string

NXT-FVFWW2RZHV2H

NXT-FVFWW2RZHV2H

string/uuid

a8572a66-e312-4bda-9515-9b9666555aa4

a8572a66-e312-4bda-9515-9b9666555aa4

string/version

[10,0,22000,653]

10.0.22000.653

Rename or Delete an existing investigation using the same action menu from the Investigations page.

Switching from Visual editor to NQL editor

Investigations created in the Visual editor always have an associated NQL query that you can view by switching to the NQL editor tab, and vice-versa for supported cases.

The system alerts you if the Visual editor does not support modifications typed into the NQL editor.

Incompatible NQL query message

Visual editor unsupported NQL statements

The Visual editor does not currently support the following features when using the visual builder:

  • Changing aggregation of the metrics

  • with clause (all metrics from associated events are added using “include”)

  • sort clause on multiple columns

  • limit clause

The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or operators and nested and combinations. Switch back to the NQL editor to edit advanced filters.

The Visual editor is progressively expanding the number of supported NQL statements. However, the NQL editor currently remains the preferred tool for advanced queries.


RELATED TOPIC

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.