Live Dashboards NQL examples
This list of NQL query examples is designed to help you create Live Dashboards widgets. Go through the queries below and pick the one most similar to the widget you would like to create and the information that you want to display. Copy the query and adjust it to your use case.
KPI widget
NQL structure to create a KPI widget.
...
summarize <kpi> = <sum() | count() | avg() | max() | min()>Display the total web application errors during the last 7 days.
web.errors during past 7d
| summarize total_errors = number_of_errors.sum() Display the ratio of backend page load duration during the last 7 days.
web.page_views during past 7d
| summarize
backend_dur_ratio = page_load_time.backend.sum() /
page_load_time.overall.sum()Display the estimated savings from remote action remediation in USD.
remote_action.executions during past 30d
| where status == success
| where purpose == remediation
| summarize amt_saved = (number_of_executions.sum()) * (20)
| list amt_saved.as(format = currency,code = usd)Line chart
NQL structure to create a line chart.
<event table> <time_duration>
...
summarize <kpi1>, <kpi2>, ... by <time_duration_granularity>
(list <time>, <kpi1>, <kpi2>, ...)Display average daily backend page load duration, client page load duration, and network duration over the last 7 days, without specifying the list line.
web.page_views during past 7d
| summarize
backend_duration = page_load_time.backend.avg() ,
client_duration = page_load_time.client.avg() ,
network_duration = page_load_time.network.avg() by 1d
Display average daily backend page load duration, client page load duration, and network duration over the last 7 days, using the list line to indicate the parameters that should be included.
web.page_views during past 7d
| summarize
backend_duration = page_load_time.backend.avg() ,
client_duration = page_load_time.client.avg() ,
network_duration = page_load_time.network.avg() by 1d
| list end_time, backend_duration, client_duration, network_durationDisplay the estimated daily total energy consumption in kilowatt-hours (kWh).
execution.events during past 15d
| where device.operating_system.name != "*server*"
| where
(device.hardware.type == laptop
or device.hardware.type == desktop)
| where binary.name in ["nxtsvc.exe", "nxtsvc"]
| summarize
Total_energy_consumption =
(((execution_duration.sum()) ^ (1)) / (3600)) * (30)
by 1d
| list
start_time,
Total_energy_consumption.as(format = energy)Bar chart
NQL structure to create a bar chart.
...
summarize <kpi1>, <kpi2>, ... by <segmentation1>, <segmentation2>, ...Display the number of hard resets and the number of device over the last 7 days, broken down by: platform, hardware manufacturer and model.
device_performance.hard_resets during past 7d
| summarize
num_hard_resets = number_of_hard_resets.sum() ,
num_devices = device.count()
by
device.operating_system.platform ,
device.hardware.manufacturer ,
device.hardware.model
| sort num_hard_resets descDisplay the number of web transactions by application.
web.transactions
| summarize nb_transactions = number_of_transactions.sum()
by application.name
| sort nb_transactions descDisplay the Internet Service Provider (ISP) count excluding unknown ISP.
devices
| where device.public_ip.isp != null
| summarize
devices = device.name.count()
by device.public_ip.isp
| sort devices descDisplay the estimated savings in USD achieved through the workflows, categorized by each trigger method.
workflow.executions during past 30d
| where status == success
| summarize amt_saved = (number_of_executions.sum()) * (100)
by trigger_method
| list trigger_method, amt_saved.as(format = currency,code = usd)
| sort amt_saved descSingle-metric gauge chart
NQL structure to create a single-metric gauge chart displaying the ratio of devices or users when there is a bad event, for example, a crash. It allows to see how devices or users are affected by the issue.
<devices|users>
| include <event table>
| compute temp_bad_number = <device|user>.count()
| summarize
<metric> = temp_bad_number.sum(),
<total> = count()Display the ratio of devices with execution crashes out of all the devices in the company.
devices
| include execution.crashes
| compute crash_cnt = device.count()
| summarize
devices_with_crashes = crash_cnt.sum(),
total_devices = count()NQL structure to display the ratio of events when there is an event such as a crash, freeze, hard reset, system reset.
<devices|users>
| include <bad event table>
| compute temp_metric_number = count()
| include <total event table>
| compute temp_total_number = count()
| summarize
<metric> = temp_metric_number.sum(),
<total> = temp_total_number.sum()Display the ratio of poor quality collaboration sessions out of the total number of sessions.
devices
| include collaboration.sessions
| where video.quality == poor or audio.quality == poor
| compute num_poor_quality_sessions = id.count()
| include collaboration.sessions
| compute num_total_sessions = id.count()
| summarize
poor_quality = num_poor_quality_sessions.sum(),
acceptable_quality = num_total_sessions.sum()NQL structure to display the score metric.
<score table>
| summarize <metric> = <score_field>.avg(), <total> = <total>Multi-metric gauge chart
NQL structure of a multi-metric gauge chart displaying the ratio of devices or users with bad events against objects without them.
<devices|users>
| include <event table>
| compute temp_bad_number = <device|user>.count()
| summarize
<good_label> = count() - temp_bad_number.sum(),
<bad_label> = temp_bad_number.sum()Display the ratio of devices with crashes against those without them.
devices
| include execution.crashes
| compute crash_cnt = device.count()
| summarize
without_crashes = count() - crash_cnt.sum(),
with_crashes = crash_cnt.sum()Display the ratio of devices with bad events against devices without them.
devices
| include <bad event table>
| compute temp_bad_number = count()
| include <total event table>
| compute temp_total_number = count()
| summarize
<good_label> = temp_total_number.sum() - temp_bad_number.sum(),
<bad_label> = temp_bad_number.sum()Display the ratio of devices with hard resets against the ones without them.
devices
| include device_performance.hard_resets
| compute hard_reset_cnt = number_of_hard_resets.sum()
| include device_performance.events
| compute total_cnt = count()
| summarize
no_hard_resets = total_cnt.sum() - hard_reset_cnt.sum(),
hard_resets = hard_reset_cnt.sum()NQL structure to display the ratio of events with a good state against events with a bad state.
<devices|users>
| include <event table>
| where <condition is bad>
| compute temp_bad_number = <device|user>.count()
| include <event table>
| where <condition is good>
| compute temp_good_number = <device|user>.count()
| summarize
<good_label> = temp_good_number.sum(),
<bad_label> = temp_bad_number.sum()Display the ratio of page views with good experience against the ones with a frustrating experience.
users
| include web.page_views
| where experience_level == frustrating
| compute frustrating_cnt = user.count()
| include web.page_views
| where experience_level == good
| compute good_cnt = user.count()
| summarize
good = good_cnt.sum(),
frustrating = frustrating_cnt.sum()NQL structure to display a ratio of users or devices with a good state against the ones with a bad state.
<devices|users>
| include <event table>
| where <condition is bad>
| compute temp_bad_number = <sum|count>
| include <event table>
| where <condition is good>
| compute temp_good_number = <sum|count>
| summarize
<good_label> = temp_good_number.sum(),
<bad_label> = temp_bad_number.sum()Display the ratio of page views with good experience against the ones with a frustrating experience.
users
| include web.page_views
| where experience_level == frustrating
| compute frustrating_cnt = number_of_page_views.sum()
| include web.page_views
| where experience_level == good
| compute good_cnt = number_of_page_views.sum()
| summarize
good = good_cnt.sum(),
frustrating = frustrating_cnt.sum()RELATED TOPICS
Last updated