Visual editor

Use the Visual editor to create powerful and flexible investigations without the need to write and master the NQL syntax from the NQL data model.

The Visual editor is a graphical NQL tool that allows you to:

Use a table to list and visualize a collection of objects such as users, devices, binaries or events.
Add additional columns with various properties and metrics.
Fine-tune the results using conditions and filters based on properties and metric values.
Switch between the Visual editor and NQL editor, or use both modes to build queries.

Accessing the Visual editor

Select Investigations from the main menu to create or edit an existing investigation.
Under the Visual editor, use the Display drop-down menu to select any other data collection:
- Inventory objects such as users, devices and binaries.
- Events such as execution crashes and device performance.
After choosing an option from the Display drop-down, a set of default columns appears in the results table. See the Adding fields and conditions section on this page to modify the columns in the Investigation results table.
- The Visual editor on the Investigations page displays Devices by default.

Selecting connection events for Network view

Choosing Connection events from the Display drop-down of the Visual editor on the Investigations page enables the Network tab with a Network view visualization.

Refer to the Network view documentation to learn how to identify and troubleshoot network-related issues.

Adjusting the timeframe

From the Visual editor on the Investigations page, select a timeframe from the active during drop-down.

The timeframe is set to Past 7 days by default.

Unlike in the NQL editor, the timeframe selection is mandatory to query objects and events in the Visual editor.

Timeframe for events

The system limits the results to events within the selected time period.

Timeframe for objects

The system limits the results to the active inventory within the selected timeframe. This means the system outputs objects detected during the selected timeframe.

The selected timeframe automatically applies across metric columns computed for a given object.

The source collection and computed metric have the same timeframe.

The following is an example of the NQL syntax used by the Visual editor:

CODE

devices during past 7d 
| include execution.crashes during past 7d 
| compute number_of_crashes__0 = crash.number_of_crashes.sum()

Adding fields to an investigation

To change the displayed columns in the investigation results from the Investigations page > Visual editor:

Click the Add field button in the Fields right-side panel on the Investigations page to open the Add field pop-up.
Search for or choose field metrics and properties available from the source collections and associated collections.
- The system organizes available metrics into categories.
- The system displays selected fields under Current fields. If needed, remove any field.
Depending on the selected field, the system opens a pop-up to Add condition. See the Adding conditions to a field section for more information.
Click done to add all selected fields and subsequently, change the displayed columns in the Investigation results table. See the image below.

The system uses the default aggregation after you add a field column. The Visual editor does not currently support changing the default aggregation. See the Summarizing investigation results section on this page.

Switch to the NQL editor to check the active aggregation method. For example, the sum aggregation function applied to the selected metric for the number_of_crashes:

CODE

devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
| list device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, number_of_crashes__0

Adding conditions to a metric field

The following steps show an example of adding condition values to the Incoming traffic field for different binaries:

Click the Add field button in the Fields right-side panel on the Investigations page > Visual editor to open the Add field pop-up.
- Alternatively, you can right-click an existing field to Edit.
In this example, you create two separate columns to display incoming traffic from the skype and Zoom binaries. Therefore, you must repeat these steps for each binary:
- Select the Incoming traffic field to add conditions on the skype or Zoom binary.
- Add condition(s) to restrict the metric value of the Incoming traffic.
- Save the condition-specific field under a unique Column name.

See the image below for a visual representation.

Field conditions considerations

Adding multiple conditions automatically adds the and logical operator between them.
Adding multiple metric values or properties to the same condition automatically adds the or logical operator.
The autocomplete feature suggests existing property values. If needed, use wildcards:
- * to substitute for zero or more characters
- ? to substitute for zero or one character

Filtering investigation results

To filter investigation results, you have the following options:

Add filter button from the Visual editor on the Investigations page.
Add filter… from the action menu of a selected item to apply its value or property as a filter to the entire field column.
Add filter… from the action menu of a column header or a specific field in the right-side panel to set filter values to the entire field column.

The system lists added filters next to the Add filter button on the Investigations page. Right-click on an added filter to Edit or Remove the filter.

The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or operators and nested and combinations. Switch back to the NQL editor to edit advanced filters.

Example of adding filters from the Add filter button

The example below describes the steps for adding a TCP filter to a Connection events investigation result:

Click the Add filter button from the Visual editor on the Investigations page to open the Add filter pop-up.
Select Connection events from the first drop-down.
Select or search Transport protocol from the second drop-down.
Select the is operation and add TCP as the item.
- Optionally, add multiple conditions.
Click done to save the filter.

Example of adding filters from an investigation item

The example below describes the steps for adding a is '1' filter to the Total number of connections field directly from an investigation result item.

Right-click on the desired item metric value from the results table to open the action menu. In this example, the value of 1 under the Total number of connections field column.
From the Add filter… action menu of a selected item, click the is '1' to filter the entire field column to that item value.

Adding filters from an investigation item.

Example of adding filters from field columns

The example below describes the steps for setting a filter value on the Total number of connections field directly from the Investigations field header.

From the Investigations page > Visual editor:

Right-click on the field column header from the results table to open the action menu. In this example, the Total number of connections field column from the Connection events investigation result.
Click the Add filter… option from the column header action menu to open the Set filter pop-up. Choose the condition operator and one or multiple values for the conditions. In this case, Is greater than '2'.

Summarizing investigation results

The summarize mode in the Visual editor allows you to aggregate and break down investigation metrics and properties into groups and time periods.

To activate the summarize mode from the Investigations page > Visual editor, choose one of these options:

Enable the Summarize results toggle button in the Fields right-side panel.
Right-click the field column header from the Investigations results table to open the action menu and select the Summarize option.

Exit summarize mode by disabling the Summarize results toggle button.

Adding fields when in summarize mode

When adding fields in summarize mode from the Investigations page > Visual editor, consider the following:

The system adds properties of supported data types (string, UID, Boolean, enumeration, version) to the results list as a group by field.
The system adds metrics to the results list and aggregates the data by default.

Adding filters when in summarize mode

When adding filters in summarize mode from the Investigations page > Visual editor, consider the following:

Filters on properties used in the group by are reflected in the results.
Filters on metric numerical values still affect the Investigations results table after disabling the Summarize results toggle button.

Overall, the system aggregates metric numerical values, but clusters properties using the group by clause for supported data types (string, UID, Boolean, enumeration, version).

Saving an investigation

Click on the Save as button in the top-right corner of the Investigations page to save an investigation.

Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.

If you are editing an existing investigation, you can:

Click Save to save the changes.
Click Save as to save the investigation under a different name.

Sharing and exporting an investigation

Click on the action menu in the top-right corner of the Investigations page to:

Share an investigation with groups of users based on their user profile, and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation. Refer to the Sharing an investigation section of the Manage Investigations documentation for more information.
Copy link to an investigation and share it with other Nexthink users. Copy link shares the query text in the URL and is always treated as a new investigation for the user you send the link to.
Export results of the data returned by the investigation in a CSV file.
- By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.
- Ticking the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. Open the table below for more details.

Table: Formatted data versus Raw data

This table displays the differences between exporting Raw data and Formatted data for most data types.

Data type	Example of Raw data	Example of Formatted data
bool/bool	0 1	No Yes
bytes/bytes	5109928912799	4.65 TB
jsontype[]/device/antivirus	JSON `[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]`	Cortex XDR™ Advanced Endpoint Protection; Microsoft Defender Antivirus
jsontype[]/device/cpu	CODE `[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]`	Apple M1 Pro
jsontype[]/device/disk	CODE `[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]`	APPLE SSD AP1024R
jsontype[]/device/firewall	CODE `[{"name":"Windows Firewall","realTimeProtection":2}]`	Windows Firewall
jsontype[]/device/gpu	CODE `[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]`	NVIDIA Quadro P520; Intel UHD Graphics
jsontype[]/device/local_admin	CODE `[{"name":"Nexthink@NXT-HDKTYD3","type":1},{"name":"localadmin@NXT-HDKTYD3","type":1}]`	Nexthink@NXT-HDKTYD3; localadmin@NXT-HDKTYD3
jsontype[]/device/monitor	CODE `[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]`	DELL; Wide viewing angle & High density FlexView Display 1920x1080
jsontype[]/device/volume	CODE `[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]`	disk0s1; disk0s2; disk0s3
numeric/duration	900	15min
numeric/float	4997.0634765625	5k
numeric/long	4111	4111
numeric/integer	3462	3.46k
numeric/numeric	65287	65287
string/bytes	xdt7cS8oDDrk9zGtfV6hcQ==	xdt7cS8oDDrk9zGtfV6hcQ==
string/datetime	2024-02-23 17:45:00	23/02/2024 17:45:00
string/ipAddress	192.168.1.23	192.168.1.23
string/ipAddressArray	::ffff:62.2.17.60,::ffff:62.2.24.162	::ffff:62.2.17.60::ffff:62.2.24.162
string/jsonArrayString	CODE `["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]`	Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc
string/string	NXT-FVFWW2RZHV2H	NXT-FVFWW2RZHV2H
string/uuid	a8572a66-e312-4bda-9515-9b9666555aa4	a8572a66-e312-4bda-9515-9b9666555aa4
string/version	[10,0,22000,653]	10.0.22000.653

Rename or Delete an existing investigation using the same action menu from the Investigations page.

Switching from Visual editor to NQL editor

Investigations created in the Visual editor always have an associated NQL query that you can view by switching to the NQL editor tab, and vice-versa for supported cases.

The system alerts you if the Visual editor does not support modifications typed into the NQL editor.

Visual editor unsupported NQL statements

The Visual editor does not currently support the following features when using the visual builder:

Changing aggregation of the metrics
with clause (all metrics from associated events are added using “include”)
sort clause on multiple columns
limit clause

The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or operators and nested and combinations. Switch back to the NQL editor to edit advanced filters.

The Visual editor is progressively expanding the number of supported NQL statements. However, the NQL editor currently remains the preferred tool for advanced queries.