Editing the options of an investigation with Finder (classic)
Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.
To edit the options of an existing investigation, either:
Right-click the investigation name in the Investigations section on the left and select Edit.
Execute the investigation and click the pencil and paper icon that appears in the top right corner of the list of results.
When you create a new investigation or edit an existing investigation, Finder opens a dialog that lets you set all the options of the investigation.
The first thing that you find at the top of the dialog is the name of the investigation and an optional description of what it does. Click the name or the description to modify the content.
Below the name and the description, you find three distinct sections that let you design the investigation to get the desired results:
Retrieve
Matching
Display
Retrieve section
In the Retrieve section, choose the object, activity or event of interest. The execution of the investigation returns a list of results with items of the selected type.
Platform selection
In the upper-right part of the Retrieve section, find three checkboxes to select the platforms that are applicable to the investigation. The conditions and display fields that you are able to edit in the investigation depend on the platforms that you select here.
If you choose one platform, you can use conditions and display fields available for that platform.
If you select multiple platforms, only those conditions and display fields shared by all the selected platforms are available.
For instance, if you select to retrieve devices from the mobile platform, you can only set conditions on devices or user fields, because all other objects are not available for Mobile.
In a similar way, if you choose to retrieve an object type that is not available on all platforms, the check boxes of the platforms in which the object is not available are ineligible.
For example, if you choose to retrieve domains, which are only available for the Windows platform, the check boxes of both Mac OS and Mobile platforms are disabled.
By default, when you create a new investigation, only the Windows platform is ticked in this section.
Matching section
In the Matching section, you select the criteria that the objects, activities or events of the type that you chose in the Retrieve section must fulfill to appear in the list of results. The Matching section is divided into two subsections: Conditions and Time Frame.
Conditions
The matching Conditions are a set of rules that apply to any type of item related to the one selected in the Retrieve section. You can set constraints on the properties or categories of objects, activities or events to filter the results of your investigation.
To add a new condition:
In the Conditions subsection, click the link Click here to add a new condition. The placeholders for the condition fields will appear.
Set the object, activity or event to which the condition applies.
Set the attribute or category that you want to constrain.
Set the operator for comparison (for example, is, is not, starts with, etc).
Set the matching value, if you’ve selected an attribute constraint, or the matching keyword, or if you selected a category constraint.
As you type, auto-complete looks in Engine for values that match the written characters whenever possible (for example, when setting conditions on names and not on numerical values). If the appropriate Cross-Engine features are enabled, auto-complete looks for matching values in all Engines.
Some combinations of conditions and display settings are incompatible. If you add a condition and a red exclamation mark appears on its right side, the condition may conflict with another condition or with one of the chosen attributes to display. Hovering the mouse over the exclamation icon will tell you the reason for the conflict. Investigations with conflicting conditions cannot be saved. Deselect the conflicting display attributes or delete the conflicting condition before saving the investigation.
To delete a condition:
Click the trash icon to the right of the condition fields.
To make a template investigation:
Instead of providing a matching value in the last condition field, click the question mark to its right to transform the investigation into a template investigation. The actual matching value is provided as a parameter when executing the investigation.
By default, the results of an investigation must fulfill all the expressed conditions. That is, the resulting filter is logical AND satisfies all the conditions. If you want to combine the conditions in a different way:
Click the Advanced area to expand it.
Combine the conditions in the Logical expression field using the numbers of the conditions and the Boolean operators
AND
andOR
. For example,1 AND (2 OR 3)
.
The final AND in the Conditions section allows you to specify a condition on an aggregate of the object selected in the Retrieve section. Activities and events do not have associated aggregate values.
Time frame
To limit the results of the investigation to a particular range of time, use one of the following options:
Full available period (start date to end date)
Do not limit the results. The investigation uses the full range of time available in Engine, which is stated in the start and end dates. If Cross-Engine features are enabled, the start and end dates are adapted to the maximum span available across all Engines within the view domain of the user. This option is not available for investigations based on activities or events nor for any investigation based on objects that need to go through activities or events.
On date
Limit the results of the investigation to a particular day. The available dates to pick are either those of the current Engine selection or, if Cross-Engine features are enabled, those of any Engine within the view domain of the user.
During the last x days / hours.
Get the most recent matching results, specifically, those that have occurred in a shorter time period than the specified number of days or hours ago. Note that, when expressed in days, the time is partitioned in natural days, going from 0h to 23h59. As a consequence, it is not the same to restrict the time frame to the last day (from midnight today until now) than to the last 24 hours.
From start date and hour to end date and hour
Specify the period limit manually. Again, available dates are either those of the current Engine selection or those of any Engine within the view domain of the user, if Cross-Engine features are enabled.
Additionally, for specified time frames that span through several days (with the exception of the full period choice), you can optionally specify a range of hours of interest.
Between start hour and end hour
Choose a period of interest inside every single day included in the investigation.
To avoid long computation times in Engine, the time frame of investigations that need to go through activities or events is limited by default to a maximum of 7 days. It is possible to remove this 7-day limit and launch investigations with time frames spanning up to the maximum number of days available in Engine.
Display section
In the Display section, determine how Finder presents the results of the investigation. Choose between showing all the available results or just a fixed number of entries, according to specified sorting criteria. In addition, select the fields (attributes and categories) of the retrieved objects that will be arranged as columns in the list of results.
Optionally restricting the number of results
To display all the results of the investigation or restrict their number, use the option that you find at the top of the Display section. Choose between:
All results
Display all retrieved items without limit.
The top x items ordered by field ascending/descending
Limit the list of results to the first x items in ascending or descending order, according to the specified field.
Selecting the columns
Under Columns, specify the fields which have values you wish to see as columns in the list of results of the investigation. Select the fields by means of a label selector, where each label holds the name of a field. Finder pre-populates the label selector with a set of default fields that depend on the type of item to retrieve and the previously specified options for the investigation.
To add a column to the list of results:
Click the label selector to place the cursor on it. A selection menu exhibits all available fields organized by sections.
Select the field either by clicking or by typing its name:
Click the name of the field that you want to add as a column. The field must not have already been added to the label selector (in which case, it is disabled in the menu).
Start typing in the name of the desired field. The selection menu pops up, showing only those fields with names that include the characters entered.
(Optional) Click the name of the desired field in the selection menu to add it directly. As indicated above, the field must not have already been added.
(Optional) Press Tab to auto-complete the name of the field if it is the only field left in the menu.
(Optional) Learn how to use the keyboard for an even faster selection of columns.
To be eligible, fields must be compatible with the options specified for the investigation (for example, some aggregates are not available if the time frame selected is the full period available). Position the mouse cursor over a disabled field to know about the reasons for the incompatibility.
To remove a column from the list of results, either:
Click the cross sign on the right side of the label that holds the field name.
Place the cursor to the left of the field label and press Delete or to the right of the field label and press Backspace. To remove all the labels at once, press Ctrl+A to select them all and press Delete.
Note that if you have restricted the number of results according to the value of a field, that field is mandatory and cannot be removed from the label selector.
In any case, the set of labels in the label selector must never be empty. If you remove all the labels from the selector, then a label with the unique identifier of the object (UID field) is automatically added.
Last updated