# Managing Investigations

The Investigations administration page allows you to create, share and manage all of your investigations in one place.

## Managing Investigations from an investigation page

### Saving an investigation <a href="#visualeditor-usingtheinvestigationresulttableforinsights" id="visualeditor-usingtheinvestigationresulttableforinsights"></a>

Click **Save as** in the top-right corner of the Investigations page to save an investigation.

Saved investigations appear on the [Manage Investigations](#managinginvestigations-accessingthemanageinvestigationspage-1) page and in the navigation panel for the Investigations module.

If you are editing an existing investigation:

* **Save** to save the changes.
* Click **Save as** to save the investigation under a different name.

<figure><img src="/files/ikosBhZQ6CFtWpfn5Equ" alt=""><figcaption></figcaption></figure>

### Sharing saved investigation

**Share** a saved investigation with groups of Nexthink users based on their user Roles and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation.

{% hint style="info" %}
You need to have permission to **Manage all investigations** or to **Share private investigations,** to be able to **Share** investigations.
{% endhint %}

To share an investigation from the **investigation** page:

1. Click on the three dots icon in the top-right corner of the Investigations page and select **Share** to open the **Share** pop-up.

<figure><img src="/files/JoRCTPYjkZRddj3vcGI3" alt=""><figcaption></figcaption></figure>

2. In the **Add role** text field, type in the user account role you wish to share the investigation with.

<figure><img src="/files/CLyUIO1rdyCMlz1RexzA" alt=""><figcaption></figcaption></figure>

3. From the **Select permissions** drop-down menu, select the appropriate permissions for the profile. The choices are:
   * **View**: Gives a user read-only access to the investigation and the right to save a copy of it.
   * **Edit**: Allows a user to modify and save the investigation to collaborate on it with others.
4. **Clear all** to disable all permissions.
5. **Grant permissions** to share the investigation.

To remove existing **Share** permissions:

* Hover over the Permissions column for a given permission entry and click on the action menu.
* Select **Remove all permissions**.

<figure><img src="/files/fWMJyakRhbSolPAaaHwh" alt=""><figcaption></figcaption></figure>

All shared investigations appear in the **Shared** tab of the navigation panel. The investigations that you have editing rights to also appear on the [Manage investigations](#managinginvestigations-accessingthemanageinvestigationspage-1) page.

{% hint style="info" %}
The visibility of shared investigations is determined by the **Investigations** permissions granted to the user's [role](/platform/user-guide/administration/account-management/roles.md).
{% endhint %}

### **Sharing an investigation without saving it**

To share an investigation without saving it, use one of the following options:

* Select **Copy link** from the menu in the top-right corner of the Investigations page. Copy link shares the search query as an URL and is always treated as a new investigation for the user you send the link to.
* Copy the page URL from the browser's address bar.
  * For an investigation that has not been saved, the link shares the search query in the URL and is treated as a new investigation.
  * For saved investigation the link opens the existing investigation.

### Exporting investigation results

Select **Export results** option from the menu in the top-right corner of the Investigations page to export data returned by the investigation in a CSV file.

<figure><img src="/files/j9e0ZBQO0AFhu4UCuukX" alt=""><figcaption></figcaption></figure>

Nexthink asks you to name this file before downloading it. Consider the following:

* By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.
* Selecting the **Formatted data** checkbox from the **Export results in the CSV** pop-up, allows you to format **Raw data**. Open the table below for more details.

<details>

<summary>Exporting <strong>Formatted data</strong> versus <strong>Raw data</strong></summary>

The table below displays the differences between exporting **Raw data** and **Formatted data** for most data types.

<table><thead><tr><th>Data type</th><th>Example of Raw data</th><th>Example of Formatted data</th></tr></thead><tbody><tr><td>bool/bool</td><td><p>0</p><p>1</p></td><td><p>No</p><p>Yes</p></td></tr><tr><td>bytes/bytes</td><td>5109928912799</td><td>4.65 TB</td></tr><tr><td>jsontype[]/device/antivirus</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]
</code></pre></td><td>Cortex XDR™ Advanced Endpoint Protection;<br>Microsoft Defender Antivirus</td></tr><tr><td>jsontype[]/device/cpu</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]
</code></pre></td><td>Apple M1 Pro</td></tr><tr><td>jsontype[]/device/disk</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]
</code></pre></td><td>APPLE SSD AP1024R</td></tr><tr><td>jsontype[]/device/firewall</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"Windows Firewall","realTimeProtection":2}]
</code></pre></td><td>Windows Firewall</td></tr><tr><td>jsontype[]/device/gpu</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]
</code></pre></td><td>NVIDIA Quadro P520;<br>Intel UHD Graphics</td></tr><tr><td>jsontype[]/device/local_admin</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"Kanopy@KAN-HDKTYD3","type":1},{"name":"localadmin@KAN-HDKTYD3","type":1}]
</code></pre></td><td>Kanopy@KAN-HDKTYD3;<br>localadmin@KAN-HDKTYD3</td></tr><tr><td>jsontype[]/device/monitor</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]
</code></pre></td><td>DELL;<br>Wide viewing angle &#x26; High density FlexView Display 1920x1080</td></tr><tr><td>jsontype[]/device/volume</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]
</code></pre></td><td>disk0s1;<br>disk0s2;<br>disk0s3</td></tr><tr><td>numeric/duration</td><td>900</td><td>15min</td></tr><tr><td>numeric/float</td><td>4997.0634765625</td><td>5k</td></tr><tr><td>numeric/long</td><td>4111</td><td>4111</td></tr><tr><td>numeric/integer</td><td>3462</td><td>3.46k</td></tr><tr><td>numeric/numeric</td><td>65287</td><td>65287</td></tr><tr><td>string/bytes</td><td>xdt7cS8oDDrk9zGtfV6hcQ==</td><td>xdt7cS8oDDrk9zGtfV6hcQ==</td></tr><tr><td>string/datetime</td><td>2024-02-23 17:45:00</td><td>23/02/2024 17:45:00</td></tr><tr><td><a data-footnote-ref href="#user-content-fn-1">string/ipAddress</a></td><td>::ffff:192.168.1.23</td><td>::ffff:192.168.1.23</td></tr><tr><td>string/ipAddressArray</td><td>::ffff:62.2.17.60,::ffff:62.2.24.162</td><td>::ffff:62.2.17.60::ffff:62.2.24.162</td></tr><tr><td>string/jsonArrayString</td><td><pre class="language-json" data-overflow="wrap"><code class="lang-json">["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]
</code></pre></td><td>Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc</td></tr><tr><td>string/string</td><td>NXT-FVFWW2RZHV2H</td><td>NXT-FVFWW2RZHV2H</td></tr><tr><td>string/uuid</td><td>a8572a66-e312-4bda-9515-9b9666555aa4</td><td>a8572a66-e312-4bda-9515-9b9666555aa4</td></tr><tr><td>string/version</td><td>[10,0,22000,653]</td><td>10.0.22000.653</td></tr></tbody></table>

</details>

* Select the **Locale** from the drop-down list in the Export dialog based on where the exported file will be used. This applies the appropriate numeric format and ensures the data is interpreted correctly by tools such as Microsoft Excel. The default value is `en-US`.

<figure><img src="/files/tT5m2SLjC8soETKJcIwG" alt=""><figcaption></figcaption></figure>

### Exporting investigation configuration <a href="#managinginvestigations-accessingthemanageinvestigationspage" id="managinginvestigations-accessingthemanageinvestigationspage"></a>

Select **Export Investigation** option from the menu in the top-right corner of the Investigations page to export and download your investigations as a JSON file.

{% hint style="info" %}
**Rename** or **Delete** an existing investigation using the action menu from the Investigations page.
{% endhint %}

***

## Managing investigations from Manage investigations page <a href="#managinginvestigations-accessingthemanageinvestigationspage" id="managinginvestigations-accessingthemanageinvestigationspage"></a>

### Accessing the Manage investigations page <a href="#managinginvestigations-accessingthemanageinvestigationspage" id="managinginvestigations-accessingthemanageinvestigationspage"></a>

Select **Investigations** > **Manage investigations** from the main menu.

The main menu displays **Shared** and **Private** investigations sorted by [tags](#managinginvestigations-tagginginvestigationstagging).

{% hint style="info" %}
Refer to the[ Getting started with Investigations](/platform/user-guide/investigations/getting-started-with-investigations.md#gettingstartedwithinvestigations-grantingpermissionsforinvestigationspermissions) documentation to grant permissions for Investigations.
{% endhint %}

<figure><img src="/files/CrjQNnznViHkRyZ2Yo9k" alt="" width="760"><figcaption></figcaption></figure>

### Managing investigations

From the **Manage investigations** page:

1. Click on the name of an investigation to edit it or view the results of the NQL query.
2. Sort the listed investigations by name or by typing/selecting investigation tags.
3. **Import** an investigation by choosing or dragging multiple files—in JSON—from your hard drive to import them into the system as investigations.
   * All imported items will be categorized as custom content.
4. Hover over an investigation to reveal the action menu on the right side of the table.

<figure><img src="/files/JPWbHt5Q1w3qTmuhW3PH" alt="Managing investigations."><figcaption></figcaption></figure>

Hovering over the action menu on the right side of the table allows you to:

* **View**: See the results of the query on the Investigations page.
* **Rename**: Change the name of the investigation.
* **Manage tags**: Create, assign and edit [investigation tags](#managinginvestigations-tagginginvestigationstagging).
* **Share**: Grant permissions to other users to view or edit the investigation. Refer to the [Sharing saved investigation](#sharing-saved-investigation) section on this page.
* **Export:** Export the investigation to a JSON file. Refer to the [Exporting investigation](#exporting-investigation) section on this page.
* **Duplicate**: Create a copy of the investigation.
* **Delete**: Remove the investigation from the system.

### Tagging investigations <a href="#managinginvestigations-tagginginvestigationstagging" id="managinginvestigations-tagginginvestigationstagging"></a>

Tagging allows you to quickly sort and filter investigations. Open the **Tags** right-side panel to:

* Search for a specific tag at the top of the panel.
* Select one or more tags to filter the investigations table.

To add one or more tags to a monitor, from the **Investigations > Manage Investigations** page:

1. Hover over an investigation to display the action menu and choose **Manage tags**.
2. From the **Manage tags** pop-up you can:
   * Type in a new tag or choose an existing one to add it to the investigation.
   * Open the action menu of a specific tag item to **Delete tag** or change the tag color.
     * Deleting a tag only removes it from the investigation it is associated with.
3. Alternatively, select multiple investigations to **Manage tags** in bulks.

<figure><img src="/files/9Uwuf589QyQogOawhhue" alt="Managing tags in bulks."><figcaption></figcaption></figure>

[^1]: The systems uses IPv6 notation for both raw and formatted data.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/user-guide/investigations/managing-investigations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.