# Visual editor

Use the **Visual editor** to create powerful and flexible investigations without the need to write and master NQL and the NQL data model.

The Visual editor is a graphical NQL tool that allows you to:

* List and visualize collections of data such as users, devices, binaries or events.
* Add additional columns with various properties and metrics.
* Fine-tune the results using conditions and filters based on properties and metric values.
* Aggregate metrics and group them by various dimensions.
* Switch between the **Visual editor** and [NQL editor](https://docs.nexthink.com/platform/user-guide/investigations/creating-investigations/nql-editor), or use both modes to build queries.

## Querying data using the Visual editor <a href="#visualeditor-accessingthevisualeditor" id="visualeditor-accessingthevisualeditor"></a>

{% hint style="info" %}
Install the [Nexthink Library Investigations starter](https://docs.nexthink.com/platform/library-packs/it-operations/investigations-starter-pack) pack with predefined investigations to quickly gain insights on common issues without manually writing NQL queries, or using Nexthink Assist or Visual editor to query data.
{% endhint %}

1. Select **Investigations** from the main menu to create or edit an existing investigation.
   * **I**f needed, click the **New investigation** button in the top-right corner of the page to open a new investigation tab.
2. Under the **Visual editor**, use the **Display** drop-down menu to select an option from the available data:
   * Objects tables such as **Users**, **Devices** and **Binaries**.
   * Events tables such as **Execution crashes** and **Device performance events**.
3. After choosing an option from the **Display** drop-down, a set of default columns appears in the results table.
   * The **Visual editor** displays the **Devices** results table by default.
   * The metrics in the **Display** drop-down under **Campaigns** and **Remote actions** have an extra drop-down to target specific campaigns and remote actions. See the image below.
   * When you select [sampled event](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/data-we-collect-and-store#datawecollectandstore-sampledevents) tables from the **Display** drop-down the **Visual editor** summarizes the results by default. Refer to [Summarizing investigation results](#visualeditor-summarizinginvestigationresultstrue) for more information.
   * To modify the columns in the results table, refer to the [Adding columns](#visualeditor-addingfieldstoaninvestigationaddingfields), [conditions](#visualeditor-addingconditionstoametricfieldaddingconditions) and [filters](#visualeditor-filteringinvestigationresultsaddingfilters) sections on this page.

Alternatively, with the support of [Nexthink Assist](https://docs.nexthink.com/platform/user-guide/search-and-nexthink-assist/using-nexthink-assist#query-data-with-assist), you may build investigation queries without any prior knowledge of **Visual editor** or NQL.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-2cb9a195d50eb6f9bb057df29e772e51a4c64221%2FVisualEditor_01.1.png?alt=media" alt="Creating a query using Investigations Visual Editor."><figcaption></figcaption></figure>

{% hint style="warning" %}
Jump to the [Visual editor unsupported NQL statements](#visualeditor-visualeditorunsupportednqlstatements) section to identify NQL queries incompatible with the Visual editor.
{% endhint %}

### Selecting connection events for Network view <a href="#visualeditor-selectingconnectioneventsfornetworkview" id="visualeditor-selectingconnectioneventsfornetworkview"></a>

Choosing **Connection events** from the **Display** drop-down of the Visual editor on the Investigations page enables the **Network** tab with a Network view visualization.

{% hint style="info" %}
Refer to the [Network view](https://docs.nexthink.com/platform/user-guide/network-view) documentation to learn how to identify and troubleshoot network-related issues.
{% endhint %}

## Adjusting the timeframe <a href="#visualeditor-adjustingthetimeframe" id="visualeditor-adjustingthetimeframe"></a>

From the Investigations page > **Visual editor**, select a timeframe from the **active during** drop-down.

The timeframe is set to **Past 7 days** by default.

Unlike in the [NQL editor](https://docs.nexthink.com/platform/user-guide/investigations/creating-investigations/nql-editor), the timeframe selection is mandatory to query objects and events in the Visual editor.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-f8dc81c4ed439ff1e2e68502dec4a6c8d663a016%2FVisualEditor_02%2C3.png?alt=media" alt="Adjusting the timeframe from an investigation."><figcaption></figcaption></figure>

## Adding columns to the investigation results table <a href="#visualeditor-addingfieldstoaninvestigationaddingfields" id="visualeditor-addingfieldstoaninvestigationaddingfields"></a>

To change the displayed columns in the investigation results table from the Investigations page > **Visual editor**:

1. Click the **Add column** button in the **Columns** right-side panel to open the **Add column** pop-up.
2. Search for or choose **field** metrics and properties available from the source collections and associated collections.
   * The system organizes available metrics and properties into categories.
   * The system displays selected fields under **Current columns**. If needed, remove any field.
3. Depending on the selected field, the system opens a pop-up to **Add condition**. Refer to the [Adding conditions to a field](#visualeditor-addingconditionstoametricfieldaddingconditions) section on this page.
4. Click **done** to add all selected fields and subsequently, change the displayed columns in the Investigations results table. See the image below.

[Switch to the NQL editor](#visualeditor-switchingfromvisualeditortonqleditorswitchtonql) to check the active aggregation method. For example, the `sum` aggregation function applied to the selected metric for the `number_of_crashes`:

```
devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes__0 = crash.number_of_crashes.sum()
| list device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, number_of_crashes__0
```

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-fc681e486fe2e89348a3cfd76cf1dd21b55681ef%2F2025-01-14_16-15-32.png?alt=media" alt="Adding field as a columns in the investigation results table"><figcaption></figcaption></figure>

## Filtering investigation results <a href="#visualeditor-filteringinvestigationresultsaddingfilters" id="visualeditor-filteringinvestigationresultsaddingfilters"></a>

To filter investigation results in **Visual Editor**, you have the following options:

* **Add filter** button [from the Visual editor ](#visualeditor-exampleofaddingfiltersfromtheaddfilterbutton)on the Investigations page.
* **Add filter** option [from a specific field's action menu](#visualeditor-exampleofaddingfiltersfromtheaddfilterbutton-1) in the **Columns** right-side panel.
* **Add filter** option [from the action menu of a selected cell](#visualeditor-exampleofaddingfiltersfromaninvestigationitem) in a results table to apply its value or property as a filter.
* **Add filter** option [from the action menu of a column table header](#visualeditor-exampleofaddingfiltersfromfieldcolumns).

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-919c46b79ca4c944229197b08c588b70904dcfbb%2F2025-01-14_16-13-35.png?alt=media" alt="Filtering investigation results"><figcaption></figcaption></figure>

### Adding filters from the 'Add filter' button <a href="#visualeditor-exampleofaddingfiltersfromtheaddfilterbutton" id="visualeditor-exampleofaddingfiltersfromtheaddfilterbutton"></a>

Click on the **Add filter** button from the **Visual edito**r on the Investigations page.

The example below describes the steps for adding a **TCP** filter to a **Connection events** investigation result:

1. Click the **Add filter** button from the Visual editor on the Investigations page to open the **Add filter** pop-up.
2. Select **Connection events** from the first drop-down.
3. Select or search **Transport protocol** from the second drop-down.
4. Select the `is` operation and add **TCP** as the item.
   * Optionally, add multiple conditions.
5. Click **done** to save the filter.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-8f4a2b1b1fd04ccb90bc2276024c34a3ce959540%2FVisualEditor-06.png?alt=media" alt=""><figcaption></figcaption></figure>

### Adding filters from the field's action menu <a href="#visualeditor-exampleofaddingfiltersfromtheaddfilterbutton" id="visualeditor-exampleofaddingfiltersfromtheaddfilterbutton"></a>

1. Click on the **Add filter** option from a specific field's action menu in the **Columns** right-side panel.
2. In the **Set filter** pop-up, select the operator and the value to filter by.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-e4bd949f20c2283e88591381061da6f1e6e00cfd%2FVisualeditor_08.png?alt=media" alt=""><figcaption></figcaption></figure>

### Adding filters from the results cell <a href="#visualeditor-exampleofaddingfiltersfromaninvestigationitem" id="visualeditor-exampleofaddingfiltersfromaninvestigationitem"></a>

The example below describes the steps for adding a `is '1'` filter to the **Total number of connections** field directly from an investigation result item.

1. Right-click on the desired item metric value from the results table to open the action menu. In this example, the value of `1` under the **Total number of connections** field column.
2. From the **Add filter…** action menu of a selected item, click the `is '1'` and filter the entire field column to show that item value.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-d819be8eebd36e266ae39e8533421b6ad4d65f29%2FVisualEditor_09.png?alt=media" alt="Adding filters from the results cell"><figcaption></figcaption></figure>

### Adding filters from the results columns <a href="#visualeditor-exampleofaddingfiltersfromfieldcolumns" id="visualeditor-exampleofaddingfiltersfromfieldcolumns"></a>

The example below describes the steps for setting a filter value on the **Total number of connections** field directly from the Investigations field header.

From the Investigations page > **Visual editor**:

1. Right-click on the field column header from the results table to open the action menu. In this example, the **Total number of connections** field column from the **Connection events** investigation result.
2. Click the **Add filter…** option from the column header action menu to open the **Set filter** pop-up. Choose the condition operator and one or multiple values for the conditions. In this case, `Is greater than '2'`.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-d8f8e2b5f0c81d23fae1d1e15d7043b9c4d1a7d5%2Fimage-20230522-150110.png?alt=media" alt="" width="544"><figcaption></figcaption></figure>

### Editing or removing filters

The system lists added filters next to the **Add filter** button on the Investigations page. Right-click on an added filter to **Edit** or **Remove** the filter.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-2b25f5813599f1327b5aa00643573bfe010e0584%2FVisualEditor_10.png?alt=media" alt=""><figcaption></figcaption></figure>

## Adding conditions to a column metric <a href="#visualeditor-addingconditionstoametricfieldaddingconditions" id="visualeditor-addingconditionstoametricfieldaddingconditions"></a>

The following steps show an example of adding condition values to the **Incoming traffic** column field for different binaries:

1. Click the **Add column** button in the **Columns** right-side panel on the Investigations page > **Visual editor** to open the **Add Column** pop-up.
2. In this example, you create two separate columns to display incoming traffic from the **Skype** and **Zoom** binaries. Therefore, you must repeat these steps for each binary:
   * Select the **Incoming traffic** metric field from the **Add Column** pop-up.
   * **Add condition** for **Binaries**, by setting the **Product name** to **Skype** or **Zoom**.
   * **Add condition**(s) for **Connection events**, by restricting the metric value of **Incoming traffic**.
   * Save the condition-specific field under a unique **Column name**.

{% hint style="info" %}
See the image below for a visual representation of adding conditions to a column field metric.
{% endhint %}

#### **Considerations when adding column field conditions**

* Adding multiple conditions automatically adds the `and` logical operator between them.
* Adding multiple metric values or properties to the same condition automatically adds the `or` logical operator.
* The autocomplete feature suggests existing property values. If needed, use wildcards:
  * `*` to substitute for zero or more characters
  * `?` to substitute for zero or one character

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-eae931d23d589b7b41c5ff48e81b72500e54530b%2FVisualEditor_11.png?alt=media" alt="Adding conditions to a column metric"><figcaption></figcaption></figure>

## Summarizing investigation results from the Visual editor <a href="#visualeditor-summarizinginvestigationresultstrue" id="visualeditor-summarizinginvestigationresultstrue"></a>

Summarize mode in the **Visual editor** allows you to aggregate and break down investigation metrics and properties into groups and time periods.

To activate summarize mode from the Investigations page > **Visual editor**, choose one of the following options:

* Enable the **Summarize results** toggle button in the **Columns** right-side panel.
* Right-click the column header from the Investigations results table to open the action menu and select the **Summarize** or **Group by** option.

Exit summarize mode by disabling the **Summarize results** toggle button.

#### Aggregations used when summarizing results

When the Visual Editor summarizes returned values, it applies aggregation functions based on the data type and field configuration. Each field in the investigation is assigned to a specific aggregation type, which determines the set of available aggregate functions and the default one applied when summarizing results.

Each field supports specific aggregation functions. The system defines a limited number of aggregation sets, and each field type is mapped to one of these sets. Therefore, the default aggregation for a field is determined by its aggregation type, not by the field itself.

For example, the **Number of executions** field supports all aggregations since all are semantically valid. However, its default aggregation is `.avg()`, because fields of this type typically use average as the most meaningful summary. In this particular case, `.avg()` may not always be the most intuitive choice, but it reflects the predefined aggregation rules for this data type.

{% hint style="info" %}
The Visual editor does not currently support changing the default aggregation. Switch to NQL editor to edit the aggregation function.
{% endhint %}

#### Adding columns in summarize mode <a href="#visualeditor-addingfieldswheninsummarizemode" id="visualeditor-addingfieldswheninsummarizemode"></a>

When [adding columns](#visualeditor-addingfieldstoaninvestigationaddingfields) in summarize mode from the Investigations page > **Visual editor,** consider the following:

* The system adds properties of supported data types—string, UID, Boolean, enumeration, version—to the results list as a `group by` field.
* The system adds metrics to the results list and aggregates the data by default.

#### Adding filters when in summarize mode <a href="#visualeditor-addingfilterswheninsummarizemode" id="visualeditor-addingfilterswheninsummarizemode"></a>

When [adding filters](#visualeditor-addingfilterswheninsummarizemode) in summarize mode from the Investigations page > **Visual editor**, consider the following:

* Filters on properties used in `group by` are reflected in the results.
* Filters on metric numerical values still affect the Investigations results table after disabling the **Summarize results** toggle button.

{% hint style="info" %}
Overall, the system aggregates metric numerical values, but clusters properties using the `group by` clause for supported data types—string, UID, Boolean, enumeration, version.
{% endhint %}

### Visualizing investigation results as a line chart in summarize mode

To see investigation results as a [line chart](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/line-chart) visualization, from the Investigations page > **Visual editor**:

1. Enable the **Summarize results** toggle button in the **Columns** right-side panel.
2. Click on the eye icon in the **Start time** field in the right-side panel to show the results by days.
   * Adding the **Start time** field in the Visual editor is equivalent to querying the breakdown `summarize... by 1d` in the NQL editor. See the query below.
3. Once the summarized results are displayed by days, click the **Toggle to chart view** button.

{% hint style="warning" %}
Line charts created from queries in the NQL editor may [not be supported](#visualeditor-visualeditorunsupportednqlstatements) by the Visual editor.
{% endhint %}

```
campaign.responses during past 7d
| summarize no_of_users = user.count(), no_of_devices = device.count(), no_of_campaigns = campaign.campaign.name.count() by 1d
| list start_time, no_of_users, no_of_devices, no_of_campaigns
```

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-00d27c4ec774a483909d6f6ba8a6cacd6a782531%2FVisualEditor_LineChart_01.1.png?alt=media" alt="Line chart visualization from the Visual Editor."><figcaption></figcaption></figure>

### Visualizing investigation results as a bar chart in summarize mode

To see investigation results as a [bar chart](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/bar-chart) visualization, from the Investigations page > **Visual editor**:

1. Enable the **Summarize results** toggle button in the **Columns** right-side panel.
2. Open the **Add column** pop-up to break down the current summarized fields into properties. In this case, **Hardware -> Device model**.
   * Adding the **Hardware -> Product ID** field in the Visual editor is equivalent to querying the breakdown `summarize... by device.hardware.model` in the NQL editor. See the query below.
3. Once the summarized breakdown is displayed, click the **Toggle to chart view** button.

{% hint style="warning" %}
Bar charts created from queries in the NQL editor may [not be supported](#visualeditor-visualeditorunsupportednqlstatements) by the Visual editor.
{% endhint %}

```
devices during past 7d
| summarize no_of_devices = count() by device.hardware.model
| list no_of_devices, device.hardware.model
```

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-fee2c024aa538eab2b319deaaa972c2921e7702f%2FVisualEditor_BarChart_02.2.png?alt=media" alt=""><figcaption></figcaption></figure>

## Switching from the Visual editor to the NQL editor <a href="#visualeditor-switchingfromvisualeditortonqleditorswitchtonql" id="visualeditor-switchingfromvisualeditortonqleditorswitchtonql"></a>

Investigations created in the Visual editor always have an associated NQL query that you can view by switching to the **NQL editor** tab, and vice-versa for supported cases.

The system alerts you if the Visual editor does not support modifications typed into the NQL editor.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-2cbf890eb59a9e60e379145efe0b8d9e8065dd2f%2Finv-1697443267.png?alt=media" alt="Incompatible NQL query message" width="760"><figcaption></figcaption></figure>

### Visual editor unsupported NQL statements <a href="#visualeditor-visualeditorunsupportednqlstatements" id="visualeditor-visualeditorunsupportednqlstatements"></a>

The following features are not supported by the Visual editor:

* [Arithmetic operators](https://docs.nexthink.com/platform/understanding-key-data-platform-concepts/nexthink-query-language-nql/nql-operators/nql-arithmetic-operators).
* `with` statement—all metrics from associated events are added using `include.`
* `sort` statement on multiple columns.
* `limit` statement.
* `as()` function.
* `contains` comparator. For example: `events during past 7d | where primary_physical_adapter . dns_ips contains 156.64.0.39 / 255`
* `custom_trend` as source.
* Object association tables—linkages— that map the relationships between multiple objects, as source. For instance, `installed_packages`.
* Business-configured objects (BCO) as source. For example, a specific alert is unsupported—only remote actions and campaigns are supported.
* Changing aggregation of the metrics.
* Conditional aggregation and pseudo-aggregates.

The Visual editor loads and displays **Advanced filters** and complex conditions created in the NQL editor. This includes, for example, queries with `or` operators and nested `and` combinations. Switch back to the NQL editor to edit advanced filters.

{% hint style="info" %}
The Visual editor is progressively expanding the number of supported NQL statements. However, the [NQL editor](https://docs.nexthink.com/platform/user-guide/investigations/creating-investigations/nql-editor) currently remains the preferred tool for advanced queries.
{% endhint %}

***

RELATED TOPIC

* [NQL editor](https://docs.nexthink.com/platform/user-guide/investigations/creating-investigations/nql-editor)
* [Roles](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles)