Detecting issues impacting a single device or user
Refer to the Alerts FAQ to learn how to investigate and query devices associated with an existing alert, using NQL.
Detect an issue that occurs on a single device or for a single user, to help L1 support teams proactively respond and remediate before a user raises a ticket.
To configure a monitor that evaluates a metric per single device or user, create an NQL query that returns a list of devices with a computed metric without further aggregations. You can achieve this in two ways:
Start with the
devices
orusers
table, join either table with the events table and compute the metric.
Start with an events table, summarize the metric and add grouping by device.
Notifications:
The system sends notifications for each impacted device or user separately and includes the device or user name in the payload.
Alerts overview dashboard
In the Alerts overview dashboard, the alerts for all devices/users are combined and displayed in a single line. The impacted devices column informs you about the number of devices with alerts.
Considerations
Do not use this type of query if you expect a large number of objects to trigger an alert at once. Nexthink sets a limit of 500 simultaneous triggers for one monitor. Consider using Data Export or Webhooks for reporting purposes to external systems.
For this type of query do not use the
summarize... by device.name
syntax as it will not trigger an alert per device as you might expect.
NQL examples
Below is a list of NQL query examples to help you create and edit monitors. Review the queries and pick the one most similar to the monitor you are creating or editing. Copy the query and adjust it to your use case, including the thresholds that have been provided as an example.
Devices with a high number of system crashes per week ( >=3)
This alert is triggered per device with a device name in the payload.
or
In the second example, use the device.collector.uid
for grouping. The system sends the device name in the notification.
Devices with a high system drive usage ratio in the last week ( >=90)
This alert is triggered per device with a device name in the payload.
Unauthorized users accessing Salesforce app
This alert is triggered per user for those who have accessed the Salesforce app and are not from the Marketing or Sales departments. The username is in the alert payload.
Last updated