# Investigations NQL examples This list of query examples is designed to help you perform successful investigations in the Nexthink web interface. Go through the investigations listed below and pick the one most similar to the investigation you’re trying to complete. Copy the query and adjust it to your use case. ## Query device tables

Get total incoming traffic for Outlook in the past 7d for all devices.

``` devices | include execution.events during past 7d | where binary.name == "outlook.exe" | compute total_incoming_traffic = incoming_traffic.sum() | list device.name, device.entity, total_incoming_traffic ```

Find out if there have been frequent system crashes in the past hour, for example, if >2% devices had a crash in last 24h.

``` devices during past 24h | include device_performance.system_crashes | compute system_crash_count= number_of_system_crashes.sum(), crashing_devices= device.count() | summarize ratio_of_devices_crashing= crashing_devices.sum() * 100 / count() , total_system_crashes= system_crash_count.sum() ```

List all devices that need a memory upgrade.

``` devices during past 7d | include device_performance.events during past 7d | compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg() | where used_memory_percentage> 75 | list device.name, device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, device.hardware.memory, used_memory_, used_memory_percentage ```

Count the number of devices that need a memory upgrade and do a breakdown of devices by hardware manufacturer.

``` devices during past 7d | include device_performance.events during past 7d | compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg() | where used_memory_percentage> 75 | summarize c1 = count() by hardware.manufacturer ```

List devices with low disk space.

``` devices | with device_performance.events during past 124h | compute free_space_on_system_drive = system_drive_free_space.avg() | where free_space_on_system_drive < 2000MB ```

Retrieve devices. List all devices with the Nexthink Collector package installed.

``` devices | with package.installed_packages | where package.name == "Nexthink Collector" ```

Retrieve devices. List all devices without the Nexthink Collector package installed.

``` devices | include package.installed_packages | where package.name == "Nexthink Collector" | compute number_of_package_installed = count() | where number_of_package_installed == 0 ```

### Query other tables

Retrieve installation events. List all uninstallation of a specific package across all devices.

``` package.uninstallations | where package.name == "Nexthink Collector" | list time, device.name, package.name, package.version ```

Retrieve packages. List all packages starting with the ones installed on most devices.

``` package.installed_packages | summarize number_of_packages_installed = count() by package.name | sort number_of_packages_installed desc ```

Retrieve packages. List all packages starting with the ones installed on fewest devices.

``` package.installed_packages | summarize number_of_packages_installed = count() by package.name | sort number_of_packages_installed asc ```

Retrieve packages. List packages installed on fewer than 5 devices but installed on at least one device.

``` package.installed_packages | summarize number_of_packages_installed = count() by package.name | where number_of_packages_installed > 0 and number_of_packages_installed < 5 ```

List the number of system crashes grouped by error label for the crash.

``` device_performance.system_crashes during past 7d | summarize number_of_crashes = number_of_system_crashes.sum() by label | sort number_of_crashes desc ```

Count the number of active devices over time, i.e. during past 7 days.

``` device_performance.events during past 7d | summarize nb_devices = device.count() by 1d | sort start_time asc ```

Get the history (14d) of number of devices with low disk space.

``` device_performance.events during past 14d | where system_drive_free_space.avg <= 1000MB | summarize devices_with_low_disk_space = device.count() by 1d ```

Get crashes statistics per binary.

``` execution.crashes during past 7d | summarize crashes = count(), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by binary.name, binary.product_name, binary.platform | sort devices_with_crashes desc ```

Get crashes statistics for selected binary on the timeline.

``` execution.crashes during past 7d | where binary.name = "zscaler" | summarize foreground_crashes = countif(process_visibility == foreground), background_crashes = countif(process_visibility == background), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by 1d ```

Compute the average usage time of an application per user per day by departments.

``` web.events during past 7d | where application.name == "Salesforce Lightning" | summarize average_department_usage_time_per_user = duration.sum()/ user.name.count() by ad.department | sort average_department_usage_time_per_user desc ```

Count campaign responses by campaign and by state to understand campaign progress.

``` campaign.responses | where campaign.name != null | summarize number_of_responses = count() by campaign.name, state, state_details | sort campaign.name asc ```

Retrieve binaries from the past 7 days. Summarize them by category and subcategory.

``` binaries during past 7d | where product_category != null | summarize nr_binaries = count() by product_category, product_subcategory | sort product_category asc ```

Retrieve binaries from the past 7 days. Summarize them according to the Accessibility category and the Vision Accessibility subcategory.

``` binary.binaries during past 7d | where binary.product_category != null | where (binary.product_category == "Accessibility" and binary.product_subcategory == "Vision Accessibility") | list binary.name, binary.product_name, binary.version, binary.product_category, binary.product_subcategory ```

Retrieve users from the past 7 days. List them according to usage time equal or over 30 minutes for binaries under the Development Tools category and the Code Editors and IDEs subcategory.

``` users during past 7d | include execution.events during past 7d | where binary.product_category == "Development Tools" and binary.product_subcategory == "Code Editors and IDEs" | compute usage_time = execution.event.focus_time.sum() | where usage_time >= 30min ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nexthink.com/platform/user-guide/investigations/investigations-nql-examples.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.