Search with Finder (classic)

Overview

Finder divides the results of a search on the Start page into two columns:

  1. The left-hand column, entitled Investigations, shows both existing investigations that match the search terms and automatically generated investigations that the system infers from the search terms and are suggested to the user. Because of the automatic inference, this part is also known as the smart search. The display of results is as follows:

    • An icon that indicates the type of object or activity on which the investigation is based

    • A label Suggested, if the investigation was automatically generated

    • The name of the investigation

    • The timeframe that restrains the results to a particular interval of time

  2. The right-hand column shows search results based on the name of objects (for example, Devices or Executables), Services, Metrics, Scores, Remote actions, and Categories.

Suggested investigations

Finder will use the typed words to suggest investigations. It will lookup if the words match:

  • An object type (for example, device) or an activity type (for example, connection)

  • The name of a platform if you want to filter the results based on the type of devices (for example, windows)

  • A keyword (for example, crash, performance)

  • A condition on an object type

  • Names of objects

  • Names of services

  • Names of entities

  • The name of a category (for example, NXT - Server type) or one of its keywords (for example, Proxy)

  • A timeframe

In order to iteratively reduce the scope of the search, we recommend that you type the words following the previous order. After the first typed word, Finder will provide you with search results that you can refine as you type more words. This is not mandatory, as Finder does not take word order into account.

When the Cross-Engine search features are enabled in Finder, the suggested investigations additionally look for words matching the following items in all Engines, subject to the domain view of the Finder user:

  • All users and devices

  • Domains seen in the last 5 days

  • Any other object seen in the last 7 days

Objects, activities and platforms

Below is a list of objects and activities that you can use.

ObjectsActivitiesPlatforms
  • users

  • devices

  • packages

  • applications

  • executables

  • binaries

  • ports

  • destinations

  • domains

  • installations

  • executions

  • connections

  • web requests

  • system boots

  • user logons

  • windows

  • mac

  • mobile

For example, search for packages:

SearchFinder suggestions

packages

All packages - full period

When the Cross-Engine search features are enabled in Finder, the search tool looks for objects across all Engines and for all other shared items such as metrics, categories, services or remote actions. Displayed users and devices are limited to the domain view of the user that launched the search; while other objects and items may be outside the domain view of the user. In the latter case, the user cannot further investigate the details of the object.

Keywords

It is possible to look for errors and warnings in devices or applications using keywords. For instance, type errors in the Search box to get a list of any kind of error in the system. You will get the same results if you use the synonyms for error such as issue, problem or failure.

To find more specific types of errors, you can use any of the following (or another valid synonym):

  • system crash

  • application crash

  • application freeze (not responding)

  • high CPU

  • high memory

For example, to look for application crashes, just type in application crash.

SearchFinder suggestions

application crash

Application crashes - today

A condition on an object type

You can type the name of an existing user and Finder will show you suggested investigations that use the condition on the user name.

SearchFinder suggestions

user UserName

Devices used by user UserName - full period

Names of objects

Type in the names of objects in your queries to look for a concrete instance of an object. As a Finder user, you must have the right privilege level to see the names of some objects. Otherwise, they appear as anonymized in the search tool and you will be unable to search them by name.

For example, type in the name of a device or a user in the Search box. You do not need to type in a full name. The Search populates the list of suggestions with investigations related to the objects with that name inside their properties. Finder highlights the name in the list of results.

If Finder detects that many objects match the name, it may infer that the word that you typed in is in fact a fragment of the actual name. In this case, the suggested investigations relate to groups of objects whose properties match the fragment. This is indicated by displaying the asterisk * wild card surrounding the name.

When you type names in the Search box, you can get a mix of suggested investigations that either match one object exactly or match a group of objects. For each investigation, Finder may interpret the word as a full name or as a fragment. For example:

SearchFinder suggestions

nxtc

Application matching nxtcfg.exe - full period

Applications used to access domain *nxtc*

Names of services

Similarly to names of objects, look for names of services in the Search box to get investigations related to a particular service. For instance, if you have a service called Mail Service, start typing mail and you will get the following results (among others):

SearchFinder suggestions

mail

Applications used for Mail Service - today

Devices using Mail Service - today ...

Names of entities

If you have defined a set of entities to build up your hierarchies, type in the names of your entities in the Search box for Finder to suggest investigations related to objects in those entities.

Suggested investigations based on categories

Use the names of categories to refine suggested investigations. For instance, given a category RAM that classifies devices according to the quantity of memory installed, the result of looking for devices with that category is the following:

SearchFinder suggestion

device RAM

Devices with RAM - full period

The name of the category is highlighted in the list of results and preceded by the label icon that identifies it as a category (not shown in the table).

Instead of the name of a category, you can directly use the name of the keywords of the category. For instance, let us assume that the keywords of the category RAM are:

  • 2GB

  • 3GB

  • 4GB

You can directly look for devices using one of these keywords, or even combine several keywords, by typing:

SearchFinder suggestion

device 2GB

Devices with RAM set to 2GB - full period

device 3GB 4GB

Devices with RAM set to 3GB or 4GB - full period

Alternatively, you can directly use the name of a category without specifying the type of object and optionally combine it with one of its keywords. In this case, Finder deduces the type of object to which the category applies:

SearchFinder suggestion

RAM 1GB

Devices with RAM set to 1GB - full period

Timeframe control

Limit the suggestions of Finder to a particular time interval by specifying a timeframe. Below is a list of words that you can use to define a timeframe for the suggested investigations:

  • Full period: The full time interval stored in the database of the Engine

  • Today: The current day (from 0 hours to the current time)

  • Yesterday: The full day before today

  • Last hour: The last 60 minutes (including the current minute)

  • Last week: The last seven days (including today)

Platform control for suggestions

If you use one of the platform names in your search, suggestions are adapted to match the available information for that platform.

Note that platform control in the smart search is only activated if devices of platforms other than Windows are detected inside your installation. If you only have Windows devices, the platform keywords (windows, mac os and mobile) are not recognized as such, and instead are considered normal terms of your search.

Synonyms

To make its use more natural, the Search tool of Finder has the ability to recognize the singular and plural forms of these words as well as some of their synonyms. In many cases, you can use your own words to look for information in Finder and still get the expected results. For instance, instead of looking for devices, you can search computers, PCs or workstations.

Once you get used to Nexthink terminology, you may find it more practical, accurate or even easier to utilize the official terms to designate objects or activities.

Using quotes

When searching, you can use quotes to:

  • Force the search on words with fewer than two letters. Generally, words with fewer than two letters are ignored by Finder.

  • Force the search to ignore spaces between words and consider the words together. For example, you can search for an application with a name that contains spaces. Let's say you search for name of my application (for example, a name with spaces):

SearchFinder suggestion

Application "name of my application"

Application matching name of my application - full period

  • Avoid using reserved words. The quotes instruct Finder that the content inside is the value of an object name and not the name of a type of object or activity. For instance, you get different results when you type the word user in the Search box with quotes and without quotes:

SearchFinder first suggestion

user

User logons - today

"user"

Devices with package user - full period

User's investigation

Finder will check all the words in the user’s investigation and whether one of them matches an object or an activity type. If this is the case, the system will also check if a word matches the object of the conditions.

For example, let's say that the user has a saved investigation named InvestigationABC based on devices:

SearchFinder suggestion

device InvestigationABC

InvestigationABC

Timeframe control

By default, the original timeframe is used. This timeframe can be modified using the "timeframe control" described for suggested investigations. It will apply if the underlying investigation is compatible with it.

SearchFinder suggestion

device InvestigationABC today

InvestigationABC - today

Platform control for investigations

Using platform keywords in the search makes Finder suggest only those user investigations that are suitable for all the enumerated platforms.

Using synonyms and quotes

The use of "synonyms" and "quote" described above for suggested investigations is the same for user investigations.

Show in investigations list

If you want to modify the user’s investigation, you can right-click and select the option show in investigations list. Then you can modify the original investigation with a right-click and by selecting edit.

Objects search

Up to now, we have discussed the results that the Search tool displays in the left column of the Start page under the title Investigations. This section covers the results of the Search tool that are displayed in the right column of the Start page.

The main use of the right column is to look for a single existing object in the database when you know its name, or at least part of it. In this case, Finder does not have to deduce anything. It just performs a pure search by matching the terms that you type in with the names of objects or investigations in the database. Results are organized by type of object.

Using quotes will work in the same way as on the left panel. To increase the number of results, you can use wildcards:

* To substitute for zero or more characters

? To substitute for zero or one character

Finder runs the right and left panel search in parallel, so you do not have to choose between either one. Using wildcards, however, is not yet supported by the investigation search, which is likely to show no suggestions at all if you type in an asterisk or a question mark in your search.

Last updated