Visual editor
Use the Visual editor to create powerful and flexible investigations without the need to write and master the NQL syntax from the NQL data model.
The Visual editor is a graphical NQL tool that allows you to:
Use a table to list and visualize a collection of objects such as users, devices, binaries or events.
Add additional columns with various properties and metrics.
Fine-tune the results using conditions and filters based on properties and metric values.
Switch between the Visual editor and NQL editor, or use both modes to build queries.
Accessing the Visual editor
Select Investigations from the main menu to create or edit an existing investigation.
Under the Visual editor, use the Display drop-down menu to select any other data collection:
Inventory objects such as users, devices and binaries.
Events such as execution crashes and device performance.
After choosing an option from the Display drop-down, a set of default columns appears in the results table. See the Adding fields and conditions section on this page to modify the columns in the Investigation results table.
The Visual editor on the Investigations page displays Devices by default.
Selecting connection events for Network view
Choosing Connection events from the Display drop-down of the Visual editor on the Investigations page enables the Network tab with a Network view visualization.
Refer to the Network view documentation to learn how to identify and troubleshoot network-related issues.
Adjusting the timeframe
From the Visual editor on the Investigations page, select a timeframe from the active during drop-down.
The timeframe is set to Past 7 days by default.
Unlike in the NQL editor, the timeframe selection is mandatory to query objects and events in the Visual editor.
Timeframe for events
The system limits the results to events within the selected time period.
Timeframe for objects
The system limits the results to the active inventory within the selected timeframe. This means the system outputs objects detected during the selected timeframe.
The selected timeframe automatically applies across metric columns computed for a given object.
The source collection and computed metric have the same timeframe.
The following is an example of the NQL syntax used by the Visual editor:
devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
Adding fields to an investigation
To change the displayed columns in the investigation results from the Investigations page > Visual editor:
Click the Add field button in the Fields right-side panel on the Investigations page to open the Add field pop-up.
Search for or choose field metrics and properties available from the source collections and associated collections.
The system organizes available metrics into categories.
The system displays selected fields under Current fields. If needed, remove any field.
Depending on the selected field, the system opens a pop-up to Add condition. See the Adding conditions to a field section for more information.
Click done to add all selected fields and subsequently, change the displayed columns in the Investigation results table. See the image below.
The system uses the default aggregation after you add a field column. The Visual editor does not currently support changing the default aggregation. See the Summarizing investigation results section on this page.
Switch to the NQL editor to check the active aggregation method. For example, the sum
aggregation function applied to the selected metric for the number_of_crashes
:
devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
| list device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, number_of_crashes__0
Adding conditions to a metric field
The following steps show an example of adding condition values to the Incoming traffic field for different binaries:
Click the Add field button in the Fields right-side panel on the Investigations page > Visual editor to open the Add field pop-up.
Alternatively, you can right-click an existing field to Edit.
In this example, you create two separate columns to display incoming traffic from the skype and Zoom binaries. Therefore, you must repeat these steps for each binary:
Select the Incoming traffic field to add conditions on the skype or Zoom binary.
Add condition(s) to restrict the metric value of the Incoming traffic.
Save the condition-specific field under a unique Column name.
See the image below for a visual representation.
Field conditions considerations
Adding multiple conditions automatically adds the
and
logical operator between them.Adding multiple metric values or properties to the same condition automatically adds the
or
logical operator.The autocomplete feature suggests existing property values. If needed, use wildcards:
*
to substitute for zero or more characters?
to substitute for zero or one character
Filtering investigation results
To filter investigation results, you have the following options:
Add filter button from the Visual editor on the Investigations page.
Add filter… from the action menu of a selected item to apply its value or property as a filter to the entire field column.
Add filter… from the action menu of a column header or a specific field in the right-side panel to set filter values to the entire field column.
The system lists added filters next to the Add filter button on the Investigations page. Right-click on an added filter to Edit or Remove the filter.
The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or
operators and nested and
combinations. Switch back to the NQL editor to edit advanced filters.
Example of adding filters from the Add filter button
The example below describes the steps for adding a TCP filter to a Connection events investigation result:
Click the Add filter button from the Visual editor on the Investigations page to open the Add filter pop-up.
Select Connection events from the first drop-down.
Select or search Transport protocol from the second drop-down.
Select the
is
operation and add TCP as the item.Optionally, add multiple conditions.
Click done to save the filter.
Example of adding filters from an investigation item
The example below describes the steps for adding a is '1'
filter to the Total number of connections field directly from an investigation result item.
Right-click on the desired item metric value from the results table to open the action menu. In this example, the value of
1
under the Total number of connections field column.From the Add filter… action menu of a selected item, click the
is '1'
to filter the entire field column to that item value.
Example of adding filters from field columns
The example below describes the steps for setting a filter value on the Total number of connections field directly from the Investigations field header.
From the Investigations page > Visual editor:
Right-click on the field column header from the results table to open the action menu. In this example, the Total number of connections field column from the Connection events investigation result.
Click the Add filter… option from the column header action menu to open the Set filter pop-up. Choose the condition operator and one or multiple values for the conditions. In this case,
Is greater than '2'
.
Summarizing investigation results
The summarize mode in the Visual editor allows you to aggregate and break down investigation metrics and properties into groups and time periods.
To activate the summarize mode from the Investigations page > Visual editor, choose one of these options:
Enable the Summarize results toggle button in the Fields right-side panel.
Right-click the field column header from the Investigations results table to open the action menu and select the Summarize option.
Exit summarize mode by disabling the Summarize results toggle button.
Adding fields when in summarize mode
When adding fields in summarize mode from the Investigations page > Visual editor, consider the following:
The system adds properties of supported data types (string, UID, Boolean, enumeration, version) to the results list as a
group by
field.The system adds metrics to the results list and aggregates the data by default.
Adding filters when in summarize mode
When adding filters in summarize mode from the Investigations page > Visual editor, consider the following:
Filters on properties used in the
group by
are reflected in the results.Filters on metric numerical values still affect the Investigations results table after disabling the Summarize results toggle button.
Overall, the system aggregates metric numerical values, but clusters properties using the group by
clause for supported data types (string, UID, Boolean, enumeration, version).
Saving an investigation
Click on the Save as button in the top-right corner of the Investigations page to save an investigation.
Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.
If you are editing an existing investigation, you can:
Click Save to save the changes.
Click Save as to save the investigation under a different name.
Sharing and exporting an investigation
Click on the action menu in the top-right corner of the Investigations page to:
Share an investigation with groups of users based on their user profile, and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation. Refer to the Sharing an investigation section of the Manage Investigations documentation for more information.
Copy link to an investigation and share it with other Nexthink users. Copy link shares the query text in the URL and is always treated as a new investigation for the user you send the link to.
Export results of the data returned by the investigation in a CSV file.
By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.
Ticking the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. Open the table below for more details.
Rename or Delete an existing investigation using the same action menu from the Investigations page.
Switching from Visual editor to NQL editor
Investigations created in the Visual editor always have an associated NQL query that you can view by switching to the NQL editor tab, and vice-versa for supported cases.
The system alerts you if the Visual editor does not support modifications typed into the NQL editor.
Visual editor unsupported NQL statements
The Visual editor does not currently support the following features when using the visual builder:
Changing aggregation of the metrics
with
clause (all metrics from associated events are added using “include”)sort
clause on multiple columnslimit
clause
The Visual editor loads and displays Advanced filters created in the NQL editor. This includes, for example, queries with or
operators and nested and
combinations. Switch back to the NQL editor to edit advanced filters.
The Visual editor is progressively expanding the number of supported NQL statements. However, the NQL editor currently remains the preferred tool for advanced queries.
RELATED TOPIC