Support

Investigations NQL examples

This list of query examples is designed to help you perform successful investigations in the Nexthink web interface. Go through the investigations listed below and pick the one most similar to the investigation you’re trying to complete. Copy the query and adjust it to your use case.

Query device tables

Get total incoming traffic for Outlook in the past 7d for all devices.
devices
| include execution.events during past 7d
| where binary.name == "outlook.exe"
| compute total_incoming_traffic = incoming_traffic.sum()
| list device.name, device.entity, total_incoming_traffic
Find out if there have been frequent system crashes in the past hour, for example, if >2% devices had a crash in last 24h.
devices during past 24h
| include device_performance.system_crashes
| compute system_crash_count= number_of_system_crashes.sum(), crashing_devices= device.count()
| summarize ratio_of_devices_crashing= crashing_devices.sum() * 100 / count() , total_system_crashes= system_crash_count.sum()
List all devices that need a memory upgrade.
devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| list device.name, device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, device.hardware.memory, used_memory_, used_memory_percentage
Count the number of devices that need a memory upgrade and do a breakdown of devices by hardware manufacturer.
devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| summarize c1 = count() by hardware.manufacturer
List devices with low disk space.
devices
| with device_performance.events during past 124h
| compute free_space_on_system_drive = system_drive_free_space.avg()
| where free_space_on_system_drive < 2000MB
Retrieve devices. List all devices with the Nexthink Collector package installed.
Retrieve devices. List all devices without the Nexthink Collector package installed.

Query other tables

Retrieve installation events. List all uninstallation of a specific package across all devices.
Retrieve packages. List all packages starting with the ones installed on most devices.
Retrieve packages. List all packages starting with the ones installed on fewest devices.
Retrieve packages. List packages installed on fewer than 5 devices but installed on at least one device.
List the number of system crashes grouped by error label for the crash.
Count the number of active devices over time, i.e. during past 7 days.
Get the history (14d) of number of devices with low disk space.
Get crashes statistics per binary.
Get crashes statistics for selected binary on the timeline.
Compute the average usage time of an application per user per day by departments.
Count campaign responses by campaign and by state to understand campaign progress.
Retrieve binaries from the past 7 days. Summarize them by category and subcategory.
Retrieve binaries from the past 7 days. Summarize them according to the Accessibility category and the Vision Accessibility subcategory.
Retrieve users from the past 7 days. List them according to usage time equal or over 30 minutes for binaries under the Development Tools category and the Code Editors and IDEs subcategory.

Last updated

Was this helpful?