# NQL syntax overview

## Specifying table <a href="#nqlsyntaxoverview-specifyingtable" id="nqlsyntaxoverview-specifyingtable"></a>

Every NQL query starts with a short statement specifying the table to select data from. The syntax to specify the table is:

`<namespace>.<table>`

For example, listing all records in the events table from the execution namespace translates into the following statement:

{% code overflow="wrap" lineNumbers="true" %}

```
execution.events
```

{% endcode %}

### Syntax shortcuts <a href="#nqlsyntaxoverview-syntaxshortcuts" id="nqlsyntaxoverview-syntaxshortcuts"></a>

Instead of typing the namespace and the table, you can also use the predefined shortcuts. Type the table name only, without a namespace first to retrieve data from the following tables:

| Namespace   | Table        | Shortcut       |
| ----------- | ------------ | -------------- |
| application | applications | `applications` |
| binary      | binaries     | `binaries`     |
| campaign    | campaigns    | `campaigns`    |
| device      | devices      | `devices`      |
| user        | user         | `users`        |

For example, type `devices` instead of `device.devices` to list all the records within the devices table in the device namespace.

{% code overflow="wrap" lineNumbers="true" fullWidth="false" %}

```
devices
```

{% endcode %}

You do not need to specify the table fields included in the results to query data from the table. The system includes default fields that are most relevant to identify the records. For more information about fields contained in specific table, refer to the NQL data model page. Use the [NQL list](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-keywords/nql-list) keyword to access other fields in the specific table.

## Specifying time frame <a href="#nqlsyntaxoverview-specifyingtimeframe" id="nqlsyntaxoverview-specifyingtimeframe"></a>

You have the option to filter your results over a specific period of time by putting a time frame selection right after the table name in your NQL statement. Depending on what you need, you can choose from various data selection formats and time precisions. For example you can specify the number of days back:

{% code overflow="wrap" lineNumbers="true" %}

```
execution.crashes during past 7d
```

{% endcode %}

Or specific date:

{% code overflow="wrap" lineNumbers="true" %}

```
execution.crashes on Feb 8, 2024
```

{% endcode %}

You can also use a time selection when querying the following inventory objects: devices, users, binaries. If you specify the time frame for the inventory objects, the system refers to the events behind the object's activity.

For example, the following queries refer to the same set of data.

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d
```

{% endcode %}

{% code overflow="wrap" lineNumbers="true" %}

```
devices 
| with device_performance.events during past 7d
```

{% endcode %}

For more information regarding the time selection formats refer to the [NQL time selection](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-syntax-overview/nql-time-selection)

## Customizing Query Results <a href="#nqlsyntaxoverview-customizingqueryresults" id="nqlsyntaxoverview-customizingqueryresults"></a>

After specifying the table and timeframe, you can further refine your query by providing additional instructions to the system using [keywords](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-keywords), [operators](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-operators) and [functions](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-functions). These refinements allow you to organize, filter or aggregate your results to gather more comprehensive insights.

For example:

1. Filter the results using the `where` clause

   <pre data-overflow="wrap" data-line-numbers><code>binaries during past 24h
   | where binary.name == "dllhost.exe"
   </code></pre>
2. Select specific data to display using the `list` clause

   <pre data-overflow="wrap" data-line-numbers><code>binaries during past 24h
   | where binary.name == "dllhost.exe"
   | list name, version, platform, architecture, size
   </code></pre>
3. Order results using the `sort ... desc` clause

   <pre data-overflow="wrap" data-line-numbers><code>binaries during past 24h
   | where binary.name == "dllhost.exe"
   | list name, version, platform, architecture, size
   | sort size desc
   </code></pre>
4. Set a maximum number of results using the `limit` clause

   <pre data-overflow="wrap" data-line-numbers><code>binaries during past 24h
   | where binary.name == "dllhost.exe"
   | list name, version, platform, architecture, size
   | sort size desc
   | limit 10
   </code></pre>

For more information about specific instructions, refer to the [NQL keywords](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-keywords) section.

## Pattern matching <a href="#nqlsyntaxoverview-patternmatching" id="nqlsyntaxoverview-patternmatching"></a>

Use wildcard characters such as `*` and `?` for text filters.

`*` replaces any number of characters

`?` replaces any single character

For example, listing all binaries with a name starting with **dll** and finishing with **.exe** translates into the following query:

{% code overflow="wrap" lineNumbers="true" %}

```
binaries during past 24h
| where binary.name == "dll*.exe"
| list size,name,version 
| sort size desc 
| limit 100
```

{% endcode %}

* [NQL time selection](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-syntax-overview/nql-time-selection)
* [NQL data types](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-syntax-overview/nql-data-types)

## Escaping characters

Use the backslash (`\`) as an escape character in literal strings.

Common escape sequences:

* `\"`: Escapes double quotes within string literals
* `\'`: Escapes single quotes within string literals
* `\\`: Escapes the backslash character itself
* `\\u####`: Unicode escape sequences for special characters

The following example shows how to escape a set of Unicode characters, such as `\u0022` used for the quotation mark (`"`):

```
devices
| with execution.events
| where binary.name in ["\\u0022", "\\u003c", "\\u005f"]
```

The following example shows how to use an escape character when searching in a Windows file path, such as `C:\Program Files\`:

```
devices
| compute program_files_path = "C:\\Program Files\\"
| where program_files_path != null
```

The following example shows how to use an escape character when searching in a Windows registry path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft`:

```
devices
| include remote_action.get_windows_registry_key_values_windows.executions
| where inputs.RegistryKey1 == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft"
| compute c1 = outputs.ValueData1.last() | where c1 != null
```

## Commenting

Use comments in your NQL queries to include explanatory notes that are ignored during execution. Comments help clarify the intent of the query, making it easier to read, maintain, and understand.

Use `/*` to begin a comment and `*/` to end it. All text between these symbols will be ignored during execution.

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d 
/* This comment spans
multiple lines and is ignored */
| list device.name, device.entity
```

{% endcode %}

### Keyboard shortcuts for commenting

Use the following keyboard shortcuts to quickly add or remove comments in your NQL queries.

#### Line-based comment

Toggle comment on the current line or selected multiple lines.

The following shortcuts add or remove comment markers (`/* ... */`) around the entire line where your cursor is placed. If multiple lines are highlighted, it wraps full lines in a single comment block.

* **Windows**: Press `Ctrl + /`
* **macOS**: Press `Cmd + /`

#### Inline or block comment

Toggle comment on selected code.

The following shortcuts add or remove comment markers (`/* ... */`) around the highlighted portion of code, even if the selection starts or ends mid-line.

* Windows: Press `Shift + Alt + A`
* macOS: Press `Shift + Option + A`

{% hint style="info" %}
Pressing either shortcut again will remove the comment block it added.
{% endhint %}

### Valid comment placement

Comments can be added in most parts of an NQL query. However, there are specific cases where comments are **not allowed**.

The following table outlines **invalid comment placements**. If a comment is added in one of these locations, the NQL editor will display an error.

<table><thead><tr><th width="310">Description of invalid comment placement</th><th>Example of invalid comment placement</th></tr></thead><tbody><tr><td>Between <code>|</code> and statement keyword</td><td><pre data-overflow="wrap"><code>devices | /* comment */ where name == "test"
</code></pre></td></tr><tr><td>Inside expressions</td><td><pre data-overflow="wrap"><code>devices | where name /* comment */ == "test"
</code></pre></td></tr><tr><td>Between operator and operand</td><td><pre data-overflow="wrap"><code>devices | compute x = count /* comment */ ()
</code></pre></td></tr><tr><td>Inside function calls</td><td><pre data-overflow="wrap"><code>devices | summarize c = count() by /* comment */ 1d, start_time
</code></pre></td></tr></tbody></table>