# Managing Investigations The Investigations administration page allows you to create, share and manage all of your investigations in one place. ## Managing Investigations from an investigation page ### Saving an investigation Click **Save as** in the top-right corner of the Investigations page to save an investigation. Saved investigations appear on the [Manage Investigations](#managinginvestigations-accessingthemanageinvestigationspage-1) page and in the navigation panel for the Investigations module. If you are editing an existing investigation: * **Save** to save the changes. * Click **Save as** to save the investigation under a different name.
### Sharing saved investigation **Share** a saved investigation with groups of Nexthink users based on their user Roles and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation. {% hint style="info" %} You need to have permission to **Manage all investigations** or to **Share private investigations,** to be able to **Share** investigations. {% endhint %} To share an investigation from the **investigation** page: 1. Click on the three dots icon in the top-right corner of the Investigations page and select **Share** to open the **Share** pop-up.
2. In the **Add role** text field, type in the user account role you wish to share the investigation with.
3. From the **Select permissions** drop-down menu, select the appropriate permissions for the profile. The choices are: * **View**: Gives a user read-only access to the investigation and the right to save a copy of it. * **Edit**: Allows a user to modify and save the investigation to collaborate on it with others. 4. **Clear all** to disable all permissions. 5. **Grant permissions** to share the investigation. To remove existing **Share** permissions: * Hover over the Permissions column for a given permission entry and click on the action menu. * Select **Remove all permissions**.
All shared investigations appear in the **Shared** tab of the navigation panel. The investigations that you have editing rights to also appear on the [Manage investigations](#managinginvestigations-accessingthemanageinvestigationspage-1) page. {% hint style="info" %} The visibility of shared investigations is determined by the **Investigations** permissions granted to the user's [role](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles). {% endhint %} ### **Sharing an investigation without saving it** To share an investigation without saving it, use one of the following options: * Select **Copy link** from the menu in the top-right corner of the Investigations page. Copy link shares the search query as an URL and is always treated as a new investigation for the user you send the link to. * Copy the page URL from the browser's address bar. * For an investigation that has not been saved, the link shares the search query in the URL and is treated as a new investigation. * For saved investigation the link opens the existing investigation. ### Exporting investigation results Select **Export results** option from the menu in the top-right corner of the Investigations page to export data returned by the investigation in a CSV file. Nexthink asks you to name this file before downloading it. Consider the following: * By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows. * Selecting the **Formatted data** checkbox from the **Export results in the CSV** pop-up, allows you to format **Raw data**. Open the table below for more details.
Exporting Formatted data versus Raw data The table below displays the differences between exporting **Raw data** and **Formatted data** for most data types.
Data typeExample of Raw dataExample of Formatted data
bool/bool

0

1

No

Yes

bytes/bytes51099289127994.65 TB
jsontype[]/device/antivirus
[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]
Cortex XDR™ Advanced Endpoint Protection;
Microsoft Defender Antivirus
jsontype[]/device/cpu
[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]
Apple M1 Pro
jsontype[]/device/disk
[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]
APPLE SSD AP1024R
jsontype[]/device/firewall
[{"name":"Windows Firewall","realTimeProtection":2}]
Windows Firewall
jsontype[]/device/gpu
[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]
NVIDIA Quadro P520;
Intel UHD Graphics
jsontype[]/device/local_admin
[{"name":"Kanopy@KAN-HDKTYD3","type":1},{"name":"localadmin@KAN-HDKTYD3","type":1}]
Kanopy@KAN-HDKTYD3;
localadmin@KAN-HDKTYD3
jsontype[]/device/monitor
[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]
DELL;
Wide viewing angle & High density FlexView Display 1920x1080
jsontype[]/device/volume
[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]
disk0s1;
disk0s2;
disk0s3
numeric/duration90015min
numeric/float4997.06347656255k
numeric/long41114111
numeric/integer34623.46k
numeric/numeric6528765287
string/bytesxdt7cS8oDDrk9zGtfV6hcQ==xdt7cS8oDDrk9zGtfV6hcQ==
string/datetime2024-02-23 17:45:0023/02/2024 17:45:00
string/ipAddress::ffff:192.168.1.23::ffff:192.168.1.23
string/ipAddressArray::ffff:62.2.17.60,::ffff:62.2.24.162::ffff:62.2.17.60::ffff:62.2.24.162
string/jsonArrayString
["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]
Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc
string/stringNXT-FVFWW2RZHV2HNXT-FVFWW2RZHV2H
string/uuida8572a66-e312-4bda-9515-9b9666555aa4a8572a66-e312-4bda-9515-9b9666555aa4
string/version[10,0,22000,653]10.0.22000.653
### Exporting investigation configuration Select **Export Investigation** option from the menu in the top-right corner of the Investigations page to export and download your investigations as a JSON file. {% hint style="info" %} **Rename** or **Delete** an existing investigation using the action menu from the Investigations page. {% endhint %} *** ## Managing investigations from Manage investigations page ### Accessing the Manage investigations page Select **Investigations** > **Manage investigations** from the main menu. The main menu displays **Shared** and **Private** investigations sorted by [tags](#managinginvestigations-tagginginvestigationstagging). {% hint style="info" %} Refer to the[ Getting started with Investigations](https://docs.nexthink.com/platform/user-guide/getting-started-with-investigations#gettingstartedwithinvestigations-grantingpermissionsforinvestigationspermissions) documentation to grant permissions for Investigations. {% endhint %}
### Managing investigations From the **Manage investigations** page: 1. Click on the name of an investigation to edit it or view the results of the NQL query. 2. Sort the listed investigations by name or by typing/selecting investigation tags. 3. **Import** an investigation by choosing or dragging multiple files—in JSON—from your hard drive to import them into the system as investigations. * All imported items will be categorized as custom content. 4. Hover over an investigation to reveal the action menu on the right side of the table.
Managing investigations.
Hovering over the action menu on the right side of the table allows you to: * **View**: See the results of the query on the Investigations page. * **Rename**: Change the name of the investigation. * **Manage tags**: Create, assign and edit [investigation tags](#managinginvestigations-tagginginvestigationstagging). * **Share**: Grant permissions to other users to view or edit the investigation. Refer to the [Sharing saved investigation](#sharing-saved-investigation) section on this page. * **Export:** Export the investigation to a JSON file. Refer to the [Exporting investigation](#exporting-investigation) section on this page. * **Duplicate**: Create a copy of the investigation. * **Delete**: Remove the investigation from the system. ### Tagging investigations Tagging allows you to quickly sort and filter investigations. Open the **Tags** right-side panel to: * Search for a specific tag at the top of the panel. * Select one or more tags to filter the investigations table. To add one or more tags to a monitor, from the **Investigations > Manage Investigations** page: 1. Hover over an investigation to display the action menu and choose **Manage tags**. 2. From the **Manage tags** pop-up you can: * Type in a new tag or choose an existing one to add it to the investigation. * Open the action menu of a specific tag item to **Delete tag** or change the tag color. * Deleting a tag only removes it from the investigation it is associated with. 3. Alternatively, select multiple investigations to **Manage tags** in bulks.
Managing tags in bulks.
[^1]: The systems uses IPv6 notation for both raw and formatted data.