NQL data model
Last updated
Last updated
Consult the Understanding key data platform concepts page for more information about the various data model concepts.
This page does not include the dynamic data model, such as custom trends, custom fields or custom organizational classification, which is individual for each organization based on specific content and product configurations.
devices
Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.
device.antiviruses
The list of antivirus registered on the device and reported through WMI.
device.cpus
The list of CPU model names and their nominal clock speeds.
device.disks
The list of storage devices.
device.firewalls
The list of firewalls registered on the device and exposed through the Windows Security Center.
device.gpus
The graphics processing unit.
device.local_admins
The list of users and groups that are members of the local Administrators group on the device.
device.monitors
The list of monitors connected to the device.
device.volumes
The list of logical storage volumes.
binaries
Table of binaries. A binary is an executable binary file identified by its hash code.
users
Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.
alert.monitors
The table of defined alert monitors in the system.
alerts
The table collecting information about instances where metric values go outside normal parameters as defined in monitors.
alert.impacts
The table collecting information about instances of an alert impact.
applications
Table of defined applications.
application.network_applications
Table of defined network applications.
application.pages
Table of defined key pages.
application.transactions
Table of defined transactions.
campaigns
The table collecting all active and retired campaigns.
campaign.responses
The table collecting responses (expected or given) of a campaign by an employee.
collaboration.sessions
Table collecting meetings performed with collaboration tools such as Teams or Zoom.
connection.events
The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).
connection.tcp_events
The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.
connection.udp_events
The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.
connectivity.events
Table collecting performance metrics and attributes specific to a device's connectivity.
device_performance.boots
The table collecting boots of devices.
device_performance.events
The table collecting performance metrics and attributes specific to a device.
device_performance.hard_resets
The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages.
device_performance.system_crashes
The table collecting the system crashes of the devices.
dex.application_scores
application_score
dex.scores
A table of the DEX score.
execution.crashes
The table collecting crashes of a running process.
execution.events
The table collecting performance metrics and attributes specific to a process execution.
packages
A table of packages. A package is a group of files and executables that together constitute a software application.
package.installations
A table of package installation events.
package.uninstallations
A table of package uninstallation events.
package.installed_packages
A table of all installed packages on all devices.
platform.audit_logs
The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'
platform.custom_trends_logs
The list of all logs associated to custom trends computations. Requires permission 'View platform logs in NQL'.
platform.data_export_logs
data_export_log
remote_actions
The table of defined remote actions.
remote_action.executions
The table collecting the executed remote actions.
remote_action.executions_summary
The table collecting the trend of executed remote actions.
services
A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction
service.changes
Timeline of events when an attribute of an existing service has changed on a device. The attributes tracked by these events are the same as in the installed_services table. Eg. logon_as & startup_type.
service.installations
Punctual event, indicating when an service was added or removed to a particular device.
service.installed_services
A table of all installed services on all devices.
session.connects
The table collecting connections linked to user sessions.
session.disconnects
The table collecting disconnections linked to user sessions.
session.events
The table collecting performance metrics and attributes specific to both local and remote sessions.
session.lifecycle_events
The table collecting all events linked to user sessions.
session.locks
The table collecting locks linked to the user sessions.
session.logins
The table collecting all session logins.
session.logouts
The table collecting all session logouts.
session.unlocks
The table collecting unlocks linked to user sessions.
software_metering.meter_configurations
meter_configuration
software_metering.events
event
web.errors
The table collecting errors of defined business-critical services.
web.errors_summary
The table collecting errors of defined business-critical services up to 90d
web.events
The table collecting events of defined business-critical services.
web.events_summary
The table collecting events of defined business-critical services up to 90d
web.page_views
Table collecting page views of defined business-critical services.
web.page_views_summary
Table collecting page views of defined business-critical services up to 90d
web.transactions
The table collecting transactions of defined business-critical services.
web.transactions_summary
The table collecting transactions of defined business-critical services up to 90d
workflows
workflow
workflow.executions
execution
workflow.executions_summary
execution_summary
The device namespace includes one large devices table, which has multiple fields referring to device properties such as hardware, operating system and also Nexthink Collector.
Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.
ad_site
string
AD site: Indicates the site to which the device is assigned to in Active Directory (AD). Details: In case the device is not part of a domain, the value shows as "-".
Windows macOS
boot.days_since_last_full_boot
integer
Days since last full boot: The number of days since the device last boot following a restart or a complete shutdown.
Windows macOS
boot.last_full_boot_duration
duration
Last full boot duration: The duration of the device last boot following a restart or a complete shutdown.
Windows
boot.last_full_boot_time
datetime
Last full boot time: The date and time of the device last boot following a restart or a complete shutdown.
Windows macOS
collector.last_update_status
string
Collector last update status: The last update status received from a specific Collector instance.
Windows macOS
collector.last_update_status_date
datetime
Collector last update status date: The reception date of the last update status for a specific Collector instance.
Windows macOS
collector.local_ip
ipAddress
Collector local IP: The local IP used for the traffic between the endpoint and the Nexthink Instance.
Windows macOS
collector.tag_id
integer
Collector tag: The configurable number that identifies a group of Collector instances. The tag is useful for defining the entities to build hierarchies. Details: An optional field that must be an integer number between 0 and 2147483647. Could complement the Collector string tag.
collector.tag_string
string
Collector string tag: The configurable label that identifies a group of Collector instances. The string tag is useful for defining the entities to build hierarchies. Details: An optional field, with a maximum length of 2048 characters. Could complement the Collector tag.
Windows macOS
collector.target_update_date
datetime
Collector target update date: The date when the devices install the target version.
Windows macOS
collector.target_version
version
Collector target version: The version to which all Collector instances update next.
Windows macOS
collector.uid
uuid
UID: The Collector unique identifier, provided using the UUID format.
collector.update_group
string
Collector update group: For scheduling separate waves of Collector updates, the devices are assigned to one of the available update groups.Possible values:
Pilot
Main
Unsupported OS
Details: By default, 10% of all the Collector instances are assigned to the Pilot update group. The Pilot group starts updating two days after a new Collector version is available. The Main group starts updates 14 days after the Pilot group.
Windows macOS
collector.version
version
Collector version: Indicates the version of the Collector instance installed on the device.
Windows macOS
connectivity.last_connectivity_type
enumeration
Connectivity type: Last type of network adapter used. Possible values are:
WiFi
Ethernet
Bluetooth
Windows macOS
connectivity.last_local_ip
ipAddress
Local IP: The last local IP address for the primary physical network adapter of the device.
Windows macOS
days_since_first_seen
integer
Days since first seen: The number of days since the first time the device was seen by the Nexthink instance.
Windows macOS
days_since_last_seen
integer
Days since last seen: The number of days since the last time the device was seen active by the Nexthink instance.
Windows macOS
distinguished_name
string
Distinguished name: The unique identifier of a device when joined to a domain or workgroup. Details: Shows as "-" when the device is not part of a domain or workgroup.
Windows macOS
entity
string
Entity: A customizable field used for organizing a group of devices into logical groups.
Windows macOS
first_seen
datetime
First seen: The date and time the device was first seen by the Nexthink instance.
Windows macOS
group_name
string
Group name: The name of the security group containing the device when joined to a domain or workgroup.
Windows
hardware.bios_serial_number
string
BIOS serial number: The serial number of the motherboard. Details: On macOS, this is the same as the chassis serial number.
Windows macOS
hardware.chassis_serial_number
string
Chassis serial number: The chassis serial number. Details: On macOS, this is the same as the BIOS serial number.
Windows macOS
hardware.machine_serial_number
string
Machine serial number: The unique serial number of the device in a UUID format.
Windows macOS
hardware.manufacturer
string
Manufacturer: The short name of the device manufacturer. Details: While devices might natively report slight variations of it, for example, sometimes dependent on the model or year of introduction, the information is simplified to ensure consistency across different devices of the same manufacturer.
Windows macOS
hardware.memory
bytes
Installed memory: The total amount of random-access memory (RAM) installed on the device.
Windows macOS
hardware.model
string
Device model: The model of the device. Details: On Windows, it is provided by the device manufacturer using the WMI interface as the product name. On macOS it is the "model id" provided by System Profiler.
Windows macOS
hardware.product_id
string
Product ID: A variant of a specific device model, sometimes also referred to as the SKU number. Details: Provided by the device manufacturer through the WMI interface as the SKUNumber.
Windows
hardware.product_line
string
Product line: The product line or hardware version information. Details: Provided by the device manufacturer through the WMI interface as the product version.
Windows macOS
hardware.type
enumeration
Device type: The device form factor:
desktop
laptop
virtual
Details: The Windows devices are considered to be a laptop if they have a "lid closed" sensor. For macOS this information comes from the device model.
Windows macOS
last_seen
datetime
Last seen: The date and time of the last device activity received by the Nexthink instance.
Windows macOS
license_type
enumeration
License type: The type of license used for this device. Possible values:
endpoint
server
thin_client
Windows macOS
location.country
string
Country: The country where the device is located.
Windows macOS
location.site
string
Site: Custom-defined identifier (office, city, ...) where the device is located.
Windows macOS
location.state
string
State: The subdivision (for example, state) where the device is located.
Windows macOS
location.type
string
Location type: The type of location indicates whether the device is onsite or remote.
Windows macOS
login.last_login_user_name
string
Last logged in user: The name of the user associated to the last login on the device.
Windows macOS
membership_type
enumeration
Membership type: The type of computer group membership. Possible values:
standalone
workgroup
domain
open directory
Details: Possible values:
domain
workgroup
standalone
open directoryWhen not available, shows as "-".
Windows
name
string
Name: The name of the device as used by the operating system for identification purposes on the local network. Details: Source:
For Windows: NetBios Name
For macOS: LocalHostName
Windows macOS
operating_system.architecture
enumeration
Architecture: The architecture of the device operating system. The instruction set it can natively execute. Details: Possible values:
x86
x64
ARM64
Windows macOS
operating_system.build
version
Build: The build number of the operating system. Details: The build number is set to "0.0.0.0" if the Collector version is incompatible or the data is not yet available.
Windows
operating_system.days_since_last_update
integer
Days since last system update: The number of days since the last system update.
Windows
operating_system.is_activated
bool
Is activated: The Windows license activation status. Details: macOS does not require a license since OSX 10.9 Mavericks (released in 2013), and shows as "-".
Windows
operating_system.last_update
datetime
Last system update: The date and time of the last system update.
Windows
operating_system.name
string
Name: The combination of the name, version and architecture (when applicable) of the operating system. Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value.
Windows macOS
operating_system.platform
enumeration
Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties. Details: Possible values are:
Windows
macOS
Linux
Windows macOS
operating_system.wmi_status
enumeration
WMI status (deprecated): This field is deprecated and will be replaced in the future. Details: The status of the WMI extension Collector relies on for device identification. Used internally to mitigate potential transient issues with this particular WMI source.
Windows
organization.entity
string
Entity: The organizational entity to which the device belongs.
public_ip.city
string
City: The city where the device is located.
Windows macOS
public_ip.country
string
Country: The country where the device is located.
Windows macOS
public_ip.ip_address
ipAddress
Public IP address: The public IP address of the device.
Windows macOS
public_ip.isp
string
ISP: The internet service provider of the device.
Windows macOS
public_ip.state
string
State: The subdivision (for example, state) where the device is located.
Windows macOS
sid
string
SID: The Security Identifier (SID) of the device, often used for identification and permission control purposes.
Windows
uid
uuid
Device UID: Unique identifier of the device.
Windows macOS
user_account_control_status
enumeration
User account control status: Indicates if the User Account Control (UAC) is configured, forcing applications to request explicit approval from the user to make changes to the computer or to run with elevated permissions. Details: Possible values:
ok (apps ask for approval)
at risk
unknown
virtualization.desktop_broker
enumeration
Desktop broker: Name of the desktop virtualization product used to broker the remote desktop connections.
Windows
virtualization.desktop_pool
string
Desktop pool name: The hardware characteristics of the associated virtual machines.
Windows
virtualization.disk_image
string
Disk image: Name of the disk image used to deploy the virtual machine.
Windows
virtualization.environment_name
string
Environment name: Name of the connector used to retrieve the virtualization details.
Windows
virtualization.hostname
string
Virtualization hostname: The physical device on which the virtual machine is hosted.
Windows
virtualization.hypervisor_name
string
Hypervisor name: The hardware virtualization system running the virtual machine.
Windows
virtualization.instance_size
string
Instance size: A predefined configuration that determines the CPU, memory and storage which is allocated to a virtual machine.
Windows
virtualization.last_update
datetime
Last update: Date and time when the desktop virtualization information was last updated.
Windows
virtualization.region
string
Region: Geographical areas where one or more Microsoft Azure data centers are located.
Windows
virtualization.type
enumeration
Desktop pool type: The type of the desktop pool. Possible values are:
shared, several users work on the same virtual machine at the same time
personal, the virtual machine is used by one user at a time and all changes to the system persist
pooled, the device is used by one user at a time and during the logoff all changes including documents and data are erased.
Windows
The list of antivirus registered on the device and reported through WMI.
is_up_to_date
enumeration
Up to date: The up-to-date status of the antivirus. Possible values are:
yes
no
not_reported
not_applicable
Windows
name
string
Name: The name of the main antivirus.
Windows
real_time_protection
enumeration
Real-time protection: The status of the antivirus real time protection (RTP). Possible values are:
not_reported: incompatible Collector version or the data is not yet available
enabled: : indicates that the RTP is active
disabled: indicates that either the RTP is inactive or the antivirus is not detected
partially_enabled
not_applicable
Windows
The list of CPU model names and their nominal clock speeds.
frequency
integer
CPU frequency: The CPU base frequency in MHz. The base frequency can be much smaller than the maximum turbo frequency. For example, the Intel Core i7-8565U CPU has a base frequency of 1.80 GHz and a maximum frequency of 4.6 GHz.
Windows macOS
name
string
CPU name: The CPU model.
Windows macOS
number_of_cores
integer
Number of cores: The number of CPU cores.
Windows macOS
number_of_logical_processors
integer
Number of logical processors: The number of CPU cores multiplied by the number of threads that can run on each core using hyperthreading.
Windows macOS
The list of storage devices.
capacity
bytes
Capacity: The disk capacity. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
Windows macOS
is_bootable
bool
Is bootable: Returns the value "yes" when the device boots from that disk.
Windows macOS
name
string
Name: The name of the physical or virtual disk drive.
Windows macOS
type
enumeration
Type: The type of drive. Possible values are:
HDD
SSD
Other
Windows macOS
The list of firewalls registered on the device and exposed through the Windows Security Center.
name
string
Name: The name of the main firewall.
Windows
real_time_protection
enumeration
Real-time protection: The status of the firewall real time protection (RTP). Possible values are:
not_reported: incompatible Collector version or the data is not yet available
enabled: indicates that RTP is active
disabled: indicates that either RTP isn’t active or no antivirus has been detected
partially_enabled
not_applicable
Windows
The graphics processing unit.
memory
bytes
Memory: The video memory in bytes.
Windows
name
string
Name: The graphics card name.
Windows
The list of users and groups that are members of the local Administrators group on the device.
name
string
Name: The users who are members of the local Administrators group on the device.
Windows
type
enumeration
Type: The type of the user. Possible values are:
user
group
Windows
The list of monitors connected to the device.
diagonal_size
float
Diagonal size: The diagonal size in inches.
Windows
horizontal_resolution
integer
Horizontal resolution: The maximum horizontal resolution in pixels.
Windows
name
string
Name: The monitor name.
Windows
serial_number
string
Serial number: The monitor serial number.
Windows
vendor
string
Vendor: The monitor vendor.
Windows
vertical_resolution
integer
Vertical resolution: The maximum vertical resolution in pixels.
Windows
The list of logical storage volumes.
capacity
bytes
Capacity: The volume capacity in bytes. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
Windows macOS
name
string
Name: The name of the volume.
Windows macOS
system
bool
Operating system volume: Returns the value "yes" when the volume contains the operating system.
Windows macOS
usage
float
Usage: The volume usage in percent.
Windows macOS
Table of binaries. A binary is an executable binary file identified by its hash code.
Table of binaries. A binary is an executable binary file identified by its hash code.
architecture
enumeration
Architecture: The operating system architecture the binary is compiled for (32-bit or 64-bit).
Windows macOS
company
string
Company: The name of the company that produced the binary. Details: Information retrieved from the file properties.
Windows macOS
description
string
Description: Used for describing the purpose of the binary or to complement it with additional details. Details: Description is generated by AI.
Windows macOS
first_seen
datetime
First seen: The date and time the binary was first seen by the Nexthink instance.
Windows macOS
has_user_interface
bool
Has user interface: Indicates if the binary has an interactive window while running. Details: On Windows platform the reported value is 'true', or 'false' if the binary has no interactive window or if the information is not available. Any other platform is always NULL.
Windows
last_seen
datetime
Last seen: The date and time of the last binary activity received by the Nexthink instance.
Windows macOS
md5_hash
bytea
MD5 hash: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The MD5 hash represented in base64 format.
Windows macOS
md5_hash_hex
bytea
MD5 hash hex: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The MD5 hash represented in hex format.
Windows macOS
name
string
Name: The file name of the binary.
Windows macOS
platform
enumeration
Platform: The operating system family on which the binary natively runs. Details: Possible values are:
Windows
macOS
Linux
Windows macOS
product_category
string
Product category: Category is a broad, general classification of similar products. Details: Category is generated by AI.
Windows macOS
product_name
string
Product name: The name of the application associated with the file. Details: Information retrieved from the file properties.
Windows macOS
product_subcategory
string
Product subcategory: Subcategory is a more specific classification or subdivision within a larger category. Details: Subcategory is generated by AI.
Windows macOS
sha-1_hash
bytea
SHA-1 hash: The SHA-1 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-1 hash represented in base64 format.
Windows macOS
sha-1_hash_hex
bytea
SHA-1 hash hex: The SHA-1 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The SHA-1 hash represented in hex format.
Windows macOS
sha-256_hash
bytea
SHA-256 hash: The SHA-256 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-256 hash represented in base64 format.
Windows macOS
sha-256_hash_hex
bytea
SHA-256 hash hex: The SHA-256 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The SHA-256 hash represented in hex format.
Windows macOS
size
bytes
Size: The size of the binary file, in bytes.
Windows macOS
uid
uuid
Binary UID: The unique identifier for the binary.
Windows macOS
version
version
Version: The version of the binary file, retrieved from the file properties.
Windows macOS
The users table within the user namespace, includes information about the individual accounts across the IT infrastructure. It contains all employees recognized by your Nexthink instance. Most of the table fields are derived from Entra ID and are included in the "ad" grouping. A user may have access to more than one device.
Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.
ad.city
string
City: The name of the city the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.country_code
string
Country code: The country or region the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: The country or region is represented as a two-character code based on the ISO-3166 standard. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.department
string
Department: The name of the department the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.distinguished_name
string
Distinguished name: The unique identifier of a domain user for an on-premises Active Directory (AD). Requirements: Requires one or more connectors for Entra ID correctly configured, and Entra ID needs to be synchronized with an on-premises AD. Details: The distinguished name follows the LDAP syntax. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.email_address
string
Email address: The email address of the user. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.full_name
string
Full name: The name displayed in the address book for the user. This is usually the combination of the user first name, middle initial and last name. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.job_title
string
Job title: The job title assigned to the user in Active Directory. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.last_update
datetime
Last update: The date and time of the last update received for the user information from Entra ID.
Windows macOS
ad.office
string
Office: The name of the physical location or office the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.organizational_unit
string
Organizational unit name: The name of the directory folder containing the user account. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
ad.username
string
AD Username: The name of the user account as it appears in Entra ID. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.
Windows macOS
days_since_first_seen
integer
Days since first seen: The number of days since the first time the user account was seen by the Nexthink instance.
Windows macOS
days_since_last_seen
integer
Days since last seen: The number of days since the last time the user account was seen active by the Nexthink instance.
Windows macOS
first_seen
datetime
First seen: The date and time the user account was first seen by the Nexthink instance.
Windows macOS
last_seen
datetime
Last seen: The date and time of the last user account activity received by the Nexthink instance.
Windows macOS
name
string
Username: The name of the user account on the local device. Requirements: The collector is configured to report the username: Configuring Collector level anonymization Details: Depending on the configuration, the Collector reports username in cleartext, as a hashed value or not at all.
Windows macOS
sid
string
SID: The unique security identifier (SID) of the user account on Windows. Details: On Windows, each user account has a unique security identifier (SID) used to provide access to system resources. On macOS, a unique SID is generated by Nexthink to facilitate user identification.
Windows macOS
type
enumeration
Type: The type of the user account. Details: Nexthink recognizes three types of user accounts:
A local user account is an account that only exists on a single device. It cannot be used to login to systems other than that specific device.
A domain user account is a user account managed by Microsoft Active Directory, enabling users to log in across various devices and access multiple services.
A system account is a form of a local account that has special privileges on a device.
Windows macOS
uid
uuid
User UID: The value that uniquely identifies a user on the Nexthink platform.
Windows macOS
upn
string
UPN: The User Principal Name (UPN), a unique identifier for a user account Requirements: The Collector reports the UPN for Active Directory and Microsoft Entra ID user accounts on Windows, and for mobile and Jamf Connect-linked local user accounts on macOS. Nexthink does not report UPNs for system accounts or local accounts (without Jamf Connect for macOS). The collector must be configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Names (UPN) is a standardized identifier for users (RFC822). Normally, it takes the form of an email address. The UPN allows to uniquely identify a user across systems, for example, devices with different OS platforms. Nexthink uses the UPN to enrich user objects with data from third-party services. If the Collector cannot retrieve the UPN for a user, the UPN is NULL (displayed as “-”) and the upn_privacy_level is set to no_import (independent from the Collector configuration).
Windows macOS
upn_privacy_level
enumeration
UPN privacy level: Indicates how securely the User Principal Name (UPN) is stored by the Nexthink instance. Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Name (UPN) privacy level is a Collector configuration parameter on the user device. Depending on the configuration, the Collector reports UPN in cleartext, as a hashed value or not at all. The options are represented by the following values:
cleartext
hashed
no_import
Windows macOS
The alert namespace consists of two tables: alerts and monitors. Monitors store sets of rules configured by Nexthink users (monitor name, threshold, priority, etc.), describing acceptable limits for metrics. Alerts store information about instances where metric values go outside normal parameters as defined in monitors. You may want to query the alerts table if you have permission to run investigations but are not allowed to access alerts dashboards or when creating dashboards for reporting.
The table of defined alert monitors in the system.
comparison_operator
enumeration
Comparison operator: Determines when a monitor should trigger an alert. Details: It is one of the key elements used to define the conditions within a monitor in order to trigger an alert. It is specifically utilized when setting up the breaching criteria for the primary metric. A comparison operator allows for the comparison of values to determine if the specified condition is met. Possible values are:
at_least
less_or_equal
multiple_contexts
bool
Multiple-context: Indicates if the monitor triggers alerts with different contexts. Details: The value is set to "Yes" when NQL has a "group by" clause.
name
string
Monitor name: The assigned name of a configured monitor. Details: A monitor is a defined set of metrics and conditions used to continuously observe a system or process and trigger an alert when certain criteria are met. The name of the custom monitor can be changed after creation. Do not consider it as a unique identifier.
nql_id
string
NQL ID: The unique NQL identifier of the monitor. Details: NQL ID cannot be changed after initial creation.
origin
enumeration
Monitor origin: Indicates where the monitor originates from. Monitors can be built-in to the Nexthink platform (system), installed using a library pack (library) or created manually (custom)
priority
enumeration
Priority: The importance of alerts that are triggered by the monitor. Details: Possible values are:
critical
high
medium
low
defined by the user in the monitor configuration.
status
enumeration
Status: The status of the monitor as set in the "Manage monitors". Details: Possible values are:
active
deleted
tags
jsonArrayString
Alert tags: List of user-defined labels that are assigned to a monitor and subsequently utilized for filtering alerts that are generated by the monitor. Details: Tags are created and specified within the monitor configuration. By assigning tags to monitors, users can categorize and organize monitors based on specific criteria, making it easier to filter and manage alerts based on these tags. Up to 10 custom tags are allowed per monitor.
threshold
float
Threshold: It defines the value of the primary metric that must be exceeded for the monitor to trigger an alert. Details: The threshold value serves as a reference point against which the metric actual value is compared to determine if it breaches the defined condition and triggers an alert.
thresholds
jsonArrayString
Thresholds: It contains the values of all metrics that need to be breached to trigger an alert.
type
enumeration
Monitor type: The chosen method used for monitoring. It identifies the specific approach employed to observe and evaluate the system or process being monitored. Details: Possible values are:
metric_threshold
metric_change
The table collecting information about instances where metric values go outside normal parameters as defined in monitors.
alerts are punctual events.
alerts are associated to user, device, monitor
context
jsonArrayString
Context: The relevant information needed to understand alert. Details: Depending on the alert, the context information may contain the name of the binary, device or user associated with the alert. It is the JSON-formatted payload of the alert.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
context_hash
string
Context hash: The unique fingerprint of the alert context. Details: The fingerprint is created by calculating an MD5 hash context.
duration
duration
Alert duration: The duration when the alert is active. Details: It is calculated as the time between the trigger and the recovery if the alert is closed, or between the trigger and now if the alert is open.
is_auto_recovery
bool
Auto-recovery: Indicates if the alert was auto-recovered. Details: Auto-recovery takes place when there are no events recorded for the metric(s) specified in the monitor configuration within the selected timeframe. Yes, if the alert is auto-recovered
is_grouped
bool
Group alert: It represents a situation where too many alerts have been generated by a single monitor at the same time. The monitor will not generate any more alerts until the situation has been resolved.
number_of_alerts
long
Number of alerts: The number of alerts triggered.
recovery_reference_value
float
Recovery reference value: It contains the reference value of the main (first) monitored metric that is checked to recover an alert.
recovery_time
datetime
Recovery time: Contains the date and time at which the alert was recovered.
recovery_value
float
Recovery value: The value of the metric that caused the alert to be recovered. Equal to the first metric value if more than one trigger condition is defined.
recovery_values
jsonArrayString
Recovery values: The lists of values of all the monitored metrics reported when the alert has recovered.
status
enumeration
Status: The status of the alert event. The status can be open or closed. Details:
Open: the alert is currently active.
Closed: the alert has been recovered.
time
datetime
Alert time: Alert bucket time.
trigger_reference_value
float
Trigger reference value: The reference value of the metric against which the current value was compared to trigger the alert.
trigger_time
datetime
Trigger time: The date and time when the alert was raised.
trigger_value
float
Trigger value: The value of the metric that bypassed the threshold defined in the monitor configuration and caused the alert to be raised. Details: Equal to the first metric value if more than one trigger condition is defined
trigger_values
jsonArrayString
Trigger values: The values of the metrics that bypassed the thresholds defined in the monitor configuration and caused the alert to be raised.
uid
uuid
Alert event UUID: The unique identifier of the alert event.
The table collecting information about instances of an alert impact.
impacts are punctual events.
impacts are associated to user, device, monitor
alert_uid
uuid
Associated alert event UUID: The unique identifier of the associated alert event.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Impact duration: The duration of the impact. Details: It is calculated as the time between the "from_time" and the "to_time" if there is more than one trigger, or between the "from_time" and now if there is only one trigger.
from_time
datetime
Impact from: Impact from
to_time
datetime
Impact to: Impact to
The application namespace contains a set of tables that store information about business-critical services configured by Nexthink users in the Application module. The tables include configuration data such as the name and ID of each application, as well as defined key pages and transactions. These tables can be queried alongside associated tables to help identify issues with business-critical services.
Table of defined applications.
category
enumeration
Category: The category of the application. We have three categories, collaboration, connectivity and standard. Requirements: The applications need to be defined through the application configuration menu. Details: Connectivity applications (for example VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Collaboration applications (for example Teams, Zoom) will be displayed in device view timeline under Collaboration section. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' or 'Collaboration' category when applicable. More info from the documentation
name
string
Name: The name of the web, desktop or hybrid application. Requirements: The applications need to be defined through the Applications configuration menu. Details: More info from the documentation
Table of defined network applications.
category
enumeration
Category: The category of the network application. We have three categories, collaboration, connectivity and standard. Requirements: The network applications need to be defined through the application configuration menu. Details: Connectivity applications (for example VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Collaboration applications (for example Teams, Zoom) will be displayed in device view timeline under Collaboration section. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' or 'Collaboration' category when applicable. More info from the documentation
name
string
Name: The name of the network application. Requirements: The network applications need to be defined through the Applications configuration menu. Details: More info from the documentation
Table of defined key pages.
name
string
Name: The name of the key page defined for a web application. Key pages divide a web application into functionally relevant parts based on URL patterns. Requirements: The key pages need to be defined through the application configuration menu. Details: More info from the documentation
Table of defined transactions.
name
string
Name: The name of the transaction defined for a web application. A transaction is an employee action or event in a web application that creates business value for the company. Requirements: The transactions need to be defined through the application configuration menu. Details: More info from the documentation
The campaign namespace consists of two tables. The campaign table stores information about campaigns configured by Nexthink users (such as campaign id, name, trigger method, etc.). The responses table collects all responses to campaigns. It indicates whether the employee declined or postponed the campaign or how many questions they answered.
The table collecting all active and retired campaigns.
name
string
Name: The name of a campaign. Details: User defined through the Campaigns user interface or Finder For Infinity campaigns, only configured campaigns in the state published and retired are available in the data model. The name of the campaign can be changed after its creation and should not be considered as a unique identifier.
nql_id
string
NQL ID: The unique identifier of a campaign. Details: The NQL ID cannot be changed after its initial creation.
priority
enumeration
Priority: The configured priority of the campaign. Details: The campaign priority influences which employee protection rules are applied: urgent campaign bypass the do-not-disturb rules unlike normal campaigns. Possible values:
urgent
normal
status
enumeration
Status: The current status of the campaign. Details: Possible values:
draft - a campaign in creation that has not been finalized yet
published - an active campaign that can currently collect responses from employees
retired - a campaign that was active but has now been retire and cannot collect new responses
Only published campaign can be triggered, and only published and retired campaigns can have responses. Refer to the campaign.responses table for details.
trigger_method
enumeration
Trigger: The possible ways of triggering the campaign. Details: Possible values:
manual - triggered from an investigation results for one or more employees
investigation (Classic campaigns only) - triggered automatically based on an investigation that is evaluated regularly
schedule - triggered automatically based on an investigation that is evaluated regularly
remediation - triggered within a remote action script
api - triggered via a call to the Campaign API
workflow - triggered from a Nexthink Workflow
Campaigns with trigger type remediation do not have their responses available.
The table collecting responses (expected or given) of a campaign by an employee.
responses are punctual events.
responses are associated to user, device, campaign
answers
string
Answers: The campaign answers (details and values) given by the employee. Details: The answers are structured as a JSON object that includes, for each answered question. Inspecting answers of a given campaign is best performed using the dynamic data model: for each campaign, you can use fields of campaign.nql_id.responses.answers.nql_id to inspect the answer type, the answer labels and the free-text comment.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
displayed_language
enumeration
Displayed language: The language in which the content of a multilingual campaign was shown to the employee. Details: Applicable only to multilingual campaigns. Possible values:
not_applicable, for campaigns without multiple languages activated or not answered yet
language name (english, french, etc.), once the campaign has been answered
expiry_date
datetime
Expiry Date: Show the expiry date and time of an employee campaign request.
first_displayed
datetime
First displayed time [Local]: The date and time at which the employee saw the campaign for the first time, adjusted to your local time.
first_planned
datetime
First planned time [Local]: The date and time at which the campaign is set to the planned state first, adjusted to your local time.
first_targeted
datetime
First targeted time [Local]: The date and time at which the campaign is set to the targeted state first, adjusted to your local time.
historical_state
jsonArrayString
Historical states: It describes the historical state updates for an employee campaign response. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.
historical_state_details
jsonArrayString
Historical state details: The historical state details updates for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.
historical_time
jsonArrayString
Historical times: The historical update times for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.
number_of_answered_questions
integer
Number of answered questions: The number of questions answered by the employee.
parameters
string
Parameters: It indicates the value of all campaign parameters as defined when triggering this campaign response.
request_id
string
Request ID: The unique identifier generated at the time the user was targeted for that campaign. Details: The request ID is the unique identifier for a campaign response. The same user may have different requests with different request ID if the user was targeted several times for the same campaign. When triggering an API campaign, the request ID is returned in the API response and can be stored for later inspection of the campaign answers.
state
enumeration
State: It describes the current state of the campaign response by a user (expected or actual). Details: Possible values:
planned - the campaign sent to a user who was online and pending display
targeted - the campaign pending answer, refer to state details for more information
answered - the campaign partially or fully answered by the user
declined - the campaign declined by the user
canceled - the response not expected anymore, refer to state details for more information
retired - the campaign retired without responses
unknown_state - the response state not reported by Nexthink
For more information, refer to response state documentation
state_details
enumeration
State Details: It describes additional details about the current state of the campaign response by a user (expected or actual). Details: The state_details value depends on the state value Nexthink registers for a particular response. For state targeted, possible state details are:
notified - the user saw the campaign popup
opened - the user saw the first question fully
offline - the user was offline when the campaign was triggered
delayed - the campaign was delayed due to user protection (classic)
postponed - the user clicked on 'remind me later' For state answered, possible state details are:
partially - the user answered only some of the required questions
fully - the user answered all required questions For state canceled, possible state details are:
user_not_found - the campaign sent to a deleted user
expired - the response not received before its expiration time
already_pending - another response for the same user expected For states planned, declined, retired and unkown_state, the state detail is:
not_applicable - no additional details
For more information, refer to response state documentation
time
datetime
Time [Local]: The date and time when the response was updated for the last time, adjusted to your local time.
trigger_method
enumeration
Trigger method: It describes the trigger method that was used to target the user for the campaign. Details: Possible values:
manual
schedule
api
The collaboration namespace consists of only one table: sessions, which refers to all meetings performed with collaboration tools such as Teams and Zoom. It stores detailed information about each meeting, including its duration, connection type, equipment used, audio and video quality, among other details. This data is used to monitor critical collaboration applications, for example, using dashboards with call quality overview.
Table collecting meetings performed with collaboration tools such as Teams or Zoom.
sessions are punctual events.
sessions are associated to user, device
application.type
enumeration
Application type: Type of the application used for a given call. Possible values are:
Teams
Zoom
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
application.version
version
Application version: Application version used during the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
audio.inbound_jitter
duration
Audio inbound jitter: Average change in delay between successive inbound audio packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor audio quality.
audio.inbound_latency
duration
Audio inbound latency: The time it takes an inbound audio packet to reach a participant’s device. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor audio quality.
audio.inbound_packet_loss
float
Audio inbound packet loss: Ratio of inbound audio packets that never reach their destination compared to the total of audio packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor audio quality.
audio.inbound_rocs
float
Audio inbound ROCS: Ratio comparing the number of audio frames generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 0.07, the related Teams session is considered as having a poor audio quality.
audio.inbound_rtt
duration
Audio inbound RTT: Time an audio packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.
audio.outbound_jitter
duration
Audio outbound jitter: Average change in delay between successive outbound audio packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor audio quality.
audio.outbound_latency
duration
Audio outbound latency: The time it takes an outbound audio packet to reach its destination from a participant’s device. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor audio quality.
audio.outbound_packet_loss
float
Audio outbound packet loss: Ratio of outbound audio packets that never reach their destination compared to the total number of outbound audio packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor audio quality.
audio.outbound_rocs
float
Audio outbound ROCS: Average ratio comparing the number of outbound audio frames with concealed samples generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 0.07, the related Teams session is considered as having a poor audio quality.
audio.outbound_rtt
duration
Audio outbound RTT: Time an outbound audio packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.
audio.quality
enumeration
Audio call quality: Assessment of the audio call quality. Possible values are:
Good
Poor
Unknown
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: When the audio quality is poor, end-users might experience some distorted, breaking up or robotic sound. Assessment of the quality is based on multiple metrics, like jitter, packet loss... See more details on the related documentation.
call.end_time
datetime
Call end time: Time when the last user left the call. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
call.id
string
Call ID: Unique identifier for the call record.
call.quality
enumeration
Call quality: Indicates the overall call quality computed as a combination of below quality metrics
Audio quality
Video quality
Screen share quality (Teams only)
Failed to connect to the call (Teams only)
Got disconnected from the call (Teams only) Possible values
Poor: If any of the metric is poor.
Good: If majority of the metrics is good.
Unknown: If majority of the metrics is unknown.
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
call.start_time
datetime
Call start time: Time when the first user joined the call
call.type
enumeration
Call type: Indicates if the call type was a group call or a peer-to-peer call. This value is available only for Microsoft teams calls. Possible values are:
Group call
Peer-to-peer
Unknown
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: Group call indicates that the call was either scheduled or a call that involves more than two participants. Peer-to-peer indicates it was a direct call between two participants.
connection_type
enumeration
Connection type: The internet connection type for a participant in a given call. Possible values are:
Ethernet
WiFi
cellular
PPP
tunnel
point_to_point
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Session duration: Time between the start time and end time of the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
end_time
datetime
Session end time: Time when the user left the call. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
has_screen_share
bool
Has screen share: Indicates if screen sharing was used during the call. Requirements: This requires
The Collaboration Experience license..
Configured inbound connectors.
macOS requires Jamf as an identity provider..
See more details in the related documentation.
has_video
bool
Session contains video: Indicates if video was used during the call. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
id
string
Session ID: Unique identifier of the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: Peer-to-peer calls typically only have one session, whereas group calls typically have at least one session per participant.
participant_device.camera
string
Camera: Camera used during the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
participant_device.mac_address
string
MAC address: MAC address of the participant's device during the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
participant_device.microphone
string
Microphone: Microphone used during the session. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
participant_device.speaker
string
Speaker: Speaker used during the session. Requirements: This requires
The Collaboration Experience license..
Configured inbound connectors.
macOS requires Jamf as an identity provider..
See more details in the related documentation.
participant_device.type
enumeration
Device type: Participant’s device type during the session. Possible values are:
Windows
macOS
iOS
Android
web
IP_phone
room_system
Surface_Hub
HoloLens
PSTN
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
participant_failed_to_connect
string
Participant failed to connect: Indicates whether the participant failed to connect to the call. Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
participant_got_disconnected
string
Participant got disconnected: Indicates if participant got disconnected during the call. Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
screen_share.inbound_frame_loss_percentage
float
Screen share inbound frames loss percentage: Percentage of inbound frames loss. Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: Inbound frame loss percentage refers to the proportion of lost frames during screen sharing. When someone shares their screen, frames (individual images) are transmitted over the network. If any frames are lost or delayed, it affects the viewing experience. The issue may be related to network problems, and troubleshooting involves analysing the network path and seeking community insights. If inbound frame loss percentage > 50%, you will see an issue in screen sharing quality.
screen_share.inbound_frame_rate
integer
Screen share inbound frame rate: Frames per second received by viewers during screen sharing. Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: Inbound frame rate refers to the frames per second (fps) received by viewers during screen sharing. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.
screen_share.outbound_frame_rate
integer
Screen share outbound frame rate: Frames per second transmitted by the person's device who is sharing screen. Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: Outbound frame rate pertains to the fps at which shared content is transmitted from a person's device who is sharing screen. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.
screen_share.quality
enumeration
Screen share quality: Assessment of the screen share quality. The assessment is based on inbound frame loss percentage, inbound and outbound frame rate metrics. Possible values are:
Good
Poor
Unknown
Please note: This feature is available only for Teams. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: When the screen share quality is poor, end-users might experience lags in the screen share display. The screen share quality is considered:
Good when inbound frame loss percentage <= 50% OR (inbound frame loss percentage is null AND inbound frame rate >= 1 AND outbound frame rate >= 1).
Poor when inbound frame loss percentage > 50% OR (inbound frame loss percentage is null AND inbound frame rate < 1 AND outbound frame rate < 1).
Unknown when inbound frame loss percentage is null AND inbound frame rate is null AND outbound frame rate is null.
See more details on the related documentation.
start_time
datetime
Session start time: Time when the user joined the call. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation.
video.inbound_frame_rate
integer
Video inbound frame rate: Frequency at which inbound frames appear on a display. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is lower than 7 FPS, the related session is considered as having a poor video quality.
video.inbound_jitter
duration
Video inbound jitter: Average change in delay between successive inbound video packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor video quality.
video.inbound_latency
duration
Video inbound latency: Time it takes an inbound video packet to reach a participant’s device. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor video quality.
video.inbound_packet_loss
float
Video inbound packet loss: Ratio of inbound video packets that never reach their destination compared to the total number of inbound video packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor video quality.
video.inbound_rtt
duration
Video inbound RTT: Time an inbound video packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.
video.outbound_frame_rate
integer
Video outbound frame rate: The frequency at which outbound frames appear on a display. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is lower than 7 FPS, the related session is considered as having a poor video quality.
video.outbound_jitter
duration
Video outbound jitter: Average change in delay between successive outbound video packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor video quality.
video.outbound_latency
duration
Video outbound latency: The time it takes an outbound video packet to reach its destination from a participant’s device. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor video quality.
video.outbound_packet_loss
float
Video outbound packet loss: Ratio of outbound video packets that never reach their destination compared to the total number of outbound video packets. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor video quality.
video.outbound_rtt
duration
Video outbound RTT: Time an outbound video packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.
video.quality
enumeration
Video call quality: Assessment of the video call quality. Possible values are:
Good
Poor
Unknown
Requirements: This requires
The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.
See more details in the related documentation. Details: When the video quality is poor, end-users might experience lags in the video display. Assessment of the video quality is based on multiple metrics, like jitter, frame rate... See more details on the related documentation.
The connections namespace contains a set of tables which allow troubleshooting connections-related issues along three dimensions: binary/ application, device (incl. location), and destination (incl. location). The tables contain sampled events with data and metrics about network connections initiated by an application on the device of the user. Please note: Connections events are only available for devices with Collectors that report "Infinity only".
The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).
events are sampled events.
events are associated to binary, device, user, application, network_application
bucket_duration
duration
Bucket duration: The duration of the time bucket. Requirements: Exclusive to Nexthink Infinity
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
destination.country
string
Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL.
destination.datacenter_region
string
Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.
destination.domain
string
Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization . Details: The destination domain name is 'multiple domain names', if a binary establishes multiple connections to the same destination with different domain names. The destination domain name is NULL, if the Collector did not report a domain name or if a binary establishes 512 or more connections within one time bucket.
destination.ip_address
ipAddress
IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. The destination IP address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.ip_subnet
ipAddress
Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. The destination subnet address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.owner
string
Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.
destination.port
numeric
Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The destination port is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.type
enumeration
Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types: datacenter, internet, and intranet. The destination type is NULL, if a binary establishes 512 or more connections within one time bucket.
end_time
datetime
Bucket end: Time bucket's end time and date. Requirements: Exclusive to Nexthink Infinity
establishment_time
duration
Connection RTT: Average round trip time of the TCP connection establishment. Requirements: Exclusive to Nexthink Infinity Details: Average round trip time for all established connections. The round trip time is measured between sending the SYN (synchronize) message and receiving the SYN-ACK (synchronize-acknowledge) message from the remote party during the TCP connection establishment, a 3-way handshake.
failed_connection_ratio
float
Failed connection ratio: The ratio of all failed TCP connections over all attempted TCP connections i.e., all established and failed TCP connections. Requirements: Exclusive to Nexthink Infinity Details: When aggregating the data, the average is weighted with number of attempted connections i.e., the sum of failed and established TCP connections.
incoming_traffic
bytes
Incoming traffic: Bytes received by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes received by the application include the traffic from all TCP connections.
ip_version
enumeration
IP version: The Internet Protocol (IP) version used for this connection: IPv4 or IPv6. Requirements: Exclusive to Nexthink Infinity Details: The IP version is NULL, if a binary establishes 512 or more connections within one time bucket.
number_of_alive_connections
long
Alive connections: The number of connections that were established in a previous time bucket and continue into the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Alive connections may end in the current time bucket or continue into the next time bucket.
The system counts alive connections as successful.
number_of_attempted_connections
long
Attempted connections: The number of TCP connections a process tried to establish in a bucket. Requirements: Exclusive to Nexthink Infinity Details: Attempted connections are the sum of established and failed TCP connections in a bucket.
number_of_connections
long
Total number of connections: The total number of failed and successful connections. Requirements: Exclusive to Nexthink Infinity
number_of_established_connections
long
Established connections: The number of connections that have been established in the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Established connections may continue into the next time bucket or they might end in the bucket they were established in.
The system counts established connections as successful.
number_of_failed_connections
long
Failed connections: The total number of failed connections. Requirements: Exclusive to Nexthink Infinity Details: Failed connections are calculated as the sum of rejected, no host, and no service connections.
number_of_no_host_connections
long
Failed connections - no host: The number of connections that failed due to the device not reaching the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the destination host when the destination host does not acknowledge the TCP SYN message, for example, the remote party does not exist or a firewall blocks the connection request.
The system counts 'no host' connections as failed connections.
number_of_no_service_connections
long
Failed connections - no service: The number of connections that failed due to the device not reaching the service on the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the service on the destination host when the destination host acknowledges the initial TCP SYN message by an RST message but no service is bound to the requested port. Note that a firewall protects most personal computers and discards RST messages to prevent port scanning.
The system counts 'no service' connections as failed connections.
number_of_rejected_connections
long
Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: Exclusive to Nexthink Infinity Details: The operating system of the device or a local firewall rejects an outgoing connection.
The system counts rejected connections as failed connections.
number_of_successful_connections
long
Successful connections: The total number of successful connections. Requirements: Exclusive to Nexthink Infinity Details: The system calculates successful connections as the sum of established and alive connections.
outgoing_traffic
bytes
Outgoing traffic: Bytes sent by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes sent by the application include the traffic from all TCP and UDP connections.
start_time
datetime
Bucket start: Time bucket's start time and date. Requirements: Exclusive to Nexthink Infinity
transport_protocol
enumeration
Transport protocol: The transport protocol of this connection: TCP or UDP. Requirements: Exclusive to Nexthink Infinity
The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.
tcp_events are sampled events.
tcp_events are associated to binary, device, user, application, network_application
bucket_duration
duration
Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
destination.country
string
Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL.
destination.datacenter_region
string
Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.
destination.domain
string
Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization . Details: The destination domain name is 'multiple domain names', if a binary establishes multiple connections to the same destination with different domain names. The destination domain name is NULL, if the Collector did not report a domain name or if a binary establishes 512 or more connections within one time bucket.
destination.ip_address
ipAddress
IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. The destination IP address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.ip_subnet
ipAddress
Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. The destination subnet address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.owner
string
Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.
destination.port
numeric
Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The destination port is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.type
enumeration
Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types: datacenter, internet, and intranet. The destination type is NULL, if a binary establishes 512 or more connections within one time bucket.
end_time
datetime
Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity
establishment_time
duration
Connection RTT (deprecated): This field has been deprecated. Please use 'connection.event.establishment_time' instead. Requirements: Exclusive to Nexthink Infinity
incoming_traffic
bytes
Incoming traffic (deprecated): This field has been deprecated. Please use 'connection.event.incoming_traffic' instead. Requirements: Exclusive to Nexthink Infinity
ip_version
enumeration
IP version (deprecated): This field has been deprecated. Please use 'connection.event.ip_version' instead. Requirements: Exclusive to Nexthink Infinity Details: The IP version is NULL, if a binary establishes 512 or more connections within one time bucket.
number_of_alive_connections
long
Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_connections
long
Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_established_connections
long
Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_failed_connections
long
Failed connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_failed_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_no_host_connections
long
Failed connections - no host (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_host_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_no_service_connections
long
Failed connections - no service (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_service_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_rejected_connections
long
Failed connections - rejected (deprecated): This field has been deprecated. Please use 'connection.event.number_of_rejected_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_successful_connections
long
Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity
outgoing_traffic
bytes
Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity
start_time
datetime
Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity
The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.
udp_events are sampled events.
udp_events are associated to binary, device, user, application, network_application
bucket_duration
duration
Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
destination.country
string
Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL.
destination.datacenter_region
string
Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:
the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.
destination.domain
string
Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization . Details: The destination domain name is 'multiple domain names', if a binary establishes multiple connections to the same destination with different domain names. The destination domain name is NULL, if the Collector did not report a domain name or if a binary establishes 512 or more connections within one time bucket.
destination.ip_address
ipAddress
IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. The destination IP address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.ip_subnet
ipAddress
Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. The destination subnet address is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.owner
string
Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:
Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.
destination.port
numeric
Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The destination port is NULL, if a binary establishes 512 or more connections within one time bucket.
destination.type
enumeration
Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types: datacenter, internet, and intranet. The destination type is NULL, if a binary establishes 512 or more connections within one time bucket.
end_time
datetime
Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity
ip_version
enumeration
IP version (deprecated): This field has been deprecated. Please use 'connection.event.ip_version' instead. Requirements: Exclusive to Nexthink Infinity Details: The IP version is NULL, if a binary establishes 512 or more connections within one time bucket.
number_of_alive_connections
long
Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_connections
long
Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_established_connections
long
Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity
number_of_successful_connections
long
Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity
outgoing_traffic
bytes
Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity
start_time
datetime
Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity
Connectivity events offers details about IP networking performance. It can be used to detect and diagnose networking issues such as misconfigurations, poor Wi-Fi signal strength and other issues affecting employees in particular offices or when working from home. Useful trend data can also be obtained using this table.
Table collecting performance metrics and attributes specific to a device's connectivity.
events are sampled events.
events are associated to device
bucket_duration
duration
Bucket duration: Duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
end_time
datetime
Bucket end: End time of the bucket.
primary_physical_adapter.dns_ips
ipAddressArray
List of DNS servers: List of DNS server IP addresses set for the primary physical network adapter.
primary_physical_adapter.gateway_ips
ipAddressArray
List of gateways: List of gateway IP addresses set for the primary physical network adapter.
primary_physical_adapter.local_ips
ipAddressArray
List of local IPs: List of local IP addresses set for the primary physical network adapter.
primary_physical_adapter.type
enumeration
Network adapter type: Type of the primary network adapter:
WiFi
Ethernet
Bluetooth
start_time
datetime
Bucket start: Start time of the bucket.
wifi.band
enumeration
WiFi band (preview): The WiFi frequency band used:
wifi_900MHz
wifi_2dot4GHz
wifi_3dot65GHz
wifi_5GHz
Details: The WiFi frequency bands:
wifi_900MHz: 900 MHz
wifi_2dot4GHz: 2.4 GHz
wifi_3dot65GHz: 3.65 GHz
wifi_5GHz: 5 GHz
wifi.bssid
string
WiFi BSSID: The physical address of the access point or wireless router used to connect to the WiFi. Requirements: By default, Collector does not report the BSSID. Reporting has to be enabled with the WiFi network Collector configuration parameter.
Windows
wifi.channel_id
integer
WiFi channel ID: The channel ID of the WiFi used.
wifi.channel_width
integer
WiFi channel width: Width of the used WiFi channel in MHz.
macOS
wifi.noise_level
integer
WiFi noise level: Average WiFi noise level in dBm. Details: The WiFi noise is a negative number. The lower, the better. A noise level below -80 dBm is considered good.
macOS
wifi.p5_signal_strength
integer
WiFi p5 signal strength: 5th percentile of the RSSI. During the 15minutes period, the rssi was 95% of the time equal or larger than the receive value. Details: 5th percentile of the signal strength in dBm.
wifi.physical_layer_protocol
enumeration
WiFi physical layer protocol: The WiFi protocol used. Details: The possible values based on the IEEE 802.11 protocols:
802_11a
802_11b
802_11g
802_11n
802_11ac
802_11ad
802_11ax
wifi.receive_rate
integer
WiFi receive rate: Receive rate for the WiFi adapter in Mbit/sec.
Windows
wifi.signal_strength
integer
WiFi signal strength: Average WiFi signal strength in dBm. Details: The WiFi signal strength (RSSI) is a negative number. The higher (closer to 0), the better. A signal strength above -60 dBm is considered good.
wifi.ssid
string
WiFi SSID: The WiFi network name (SSID). Requirements: By default, Collector does not report the SSID. Reporting has to be enabled with the WiFi network Collector configuration parameter.
Windows
wifi.transmission_rate
integer
WiFi transmission rate: Transmission rate for the WiFi adapter in Mbit/sec. Details: This metric provides the best understanding of the quality of the WiFi connection. Higher values are better.
The device performance namespace gathers tables that store information related to boots, crashes and other device performance indicators. Querying them allows users to investigate system issues.
The table collecting boots of devices.
boots are punctual events.
boots are associated to device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Boot duration: The duration of the boot.
Windows
number_of_boots
integer
Number of boots: The number of device boots.
time
datetime
Time: The date and time of the boot.
type
enumeration
Type: The type of the boot. Possible values are:
fast_startup
full_boot
The table collecting performance metrics and attributes specific to a device.
events are sampled events.
events are associated to device
bucket_duration
duration
Bucket duration: The duration of the bucket.
cached_memory
bytes
Cached memory: The average amount of RAM used for caching and that can be freed up without writing it to the storage first. A higher value indicates that the operating system is optimizing access to more content that otherwise would be available from slower storage. Details: Low value (below 1GB) can signal that the system could benefit from more memory.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
cpu_interrupt_usage
float
CPU usage by interrupts: The average share of time while the processor needs to handle hardware interrupts. These interrupts have higher priority than applications and other tasks and a high value could signal potential hardware or driver issues, some applications competing for shared hardware resources. Details: Usually should be below 2% and anything above 5% is considered high and often have a perceivable effect on user experience like input lag and degraded responsivity.
Windows
cpu_queue_length
integer
CPU queue length: The average CPU queue length indicates how many threads are waiting for their turn to get execution time on one of the available logical processors during the observed period of time. Details: Values higher than the double of available logical processors for an extended period of time signal that the workload could benefit from a CPU with higher core count and better multi-threading capabilities.
Windows
cpu_usage
float
CPU usage: The average of the total CPU usage of all logical processors for the time period. Maximum value is 100% * number of logical processors available in the system. Details: Suitable for sizing purposes. For example, how many vCPUs would be required if this workload was about to move to a remote desktop?
disk_queue_length
float
Queue length of the system drive: The average number of storage input and output tasks waiting to be executed on the system drive. Details: A high number indicates slow storage devices, when applications might have low performance due to waiting for storage access. Anything above 1 is usually to be avoided.
Windows
disk_read_latency
duration
Read latency of the system drive: The average time the operating system and applications wait for read tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average disk latency should be no more than 10 milliseconds, and 20 milliseconds during peak time.
Windows
disk_write_latency
duration
Write latency of the system drive: The average time the operating system and applications wait for write tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average the disk latency should be no more than 10 milliseconds and 20 milliseconds during peak time.
Windows
duration_with_high_cpu_interrupt_usage
duration
Duration with high CPU interrupt usage: The duration with high CPU interrupt usage, calculated based on number of samples above the 5% threshold and a sampling frequency of 30 seconds.
Windows
duration_with_medium_cpu_interrupt_usage
duration
Duration with medium CPU interrupt usage: The duration with medium CPU interrupt usage. Calculated based on number of samples above 2% threshold and a sampling frequency of 30 seconds.
Windows
end_time
datetime
Bucket end: The end time of the bucket.
free_memory
bytes
Free memory: The additional average amount of RAM available for applications or the operating system. Details: What is considered a healthy amount of free memory depends on the workload (how bursty the memory requirements are) and can greatly vary. Less then 10% of the installed memory is generally considered as a potential bottleneck.
gpu_1_name
string
Name of the first GPU: The full name of the first GPU returned by the OS.
gpu_1_usage
float
GPU usage (1st GPU): Shows if applications are benefitting from the acceleration capabilities of the first GPU. Details: High, continued usage (80 to 90%) can signal the GPU being a bottleneck.
gpu_2_name
string
Name of the second GPU: The full name of the second GPU returned by the OS.
gpu_2_usage
float
GPU usage (2nd GPU): Shows if applications are benefitting from GPU acceleration. High continued usage (80 to 90%) can signal the GPU being a bottleneck. Details: High continued usage (80 to 90%) can signal the GPU being a bottleneck.
installed_memory
bytes
Installed memory: The total size of the RAM physically installed in the device.
memory_swap_rate
bytes
Bytes wrote to swap memory per second: The speed that content is being written to disk to free up memory. Details: Continued frequent spikes can signal that the memory is a bottleneck for running the given tasks. It can indicate periods of lower performance.
memory_swap_size
bytes
Swap memory size: The average size of the swap file being actively utilized by the operating system. This can impact the amount of available storage for other applications. Details: Continued high values can indicate slower performance in general. What is considered a high value is workload dependent. Having more than 5GB of swap storage is usually considered excessive. As a best practice, the storage should be able to accommodate as much swap space as the amount of installed physical memory to able to support heavier then usual workloads.
non_paged_pool_memory
bytes
Non-paged pool memory: The amount of memory used by the operating system kernel and drivers that must remain in memory all the time. Details: A high increasing value shows a kernel or driver-level memory leak.
Windows
non_system_drive_capacity
bytes
Non system drive capacity: The total size of all non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
non_system_drive_free_space
bytes
Non system drive free space: The amount of space available on all of the non-system drives. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more then 25% free space available most of the time. The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
non_system_drive_usage
bytes
Non system drive usage: The amount of used space on all of the non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
normalized_cpu_usage
float
Normalized CPU usage: The average CPU usage on a 0 to 100% scale for the time period. Indicates how much of the time the CPU is busy. Details: Continued 80 to 90% or higher value indicates if the CPU is a bottleneck for the workload. It does not consider the clock speed itself and will show high utilisation even if in theory the CPU could run at higher speeds but it is in fact (thermally) throttled.
number_of_logical_processors
integer
Number of logical CPU cores: The number of logical CPUs available for the operating system to execute tasks simultaneously. Details: Based on number of CPUs, their core count and their multi-threading capability.
paged_pool_memory
bytes
Paged pool memory: The amount of memory used by the operating system kernel and drivers that can potentially be written to storage if needed. Details: A high increasing value shows a kernel or driver-level memory leak.
Windows
read_operations_per_second
integer
Read operations per second: The total number of read operations per second, across all physical storage available on the device. Details: Useful for understanding the intensity of read operations that the workflow requires when moving workloads between physical devices or to virtual machines.
Windows
start_time
datetime
Bucket start: The start time of the bucket.
system_drive_capacity
bytes
System drive capacity: The total capacity of the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays the data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
system_drive_free_space
bytes
System drive free space: The free space on the system drive. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more than 25% free space available most of the time. The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays the data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
system_drive_usage
bytes
System drive usage: The amount of used space on the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.
used_memory
bytes
Used memory: The average amount of RAM actively used by the applications and the operating system. Details: If the operating system needs to free up some memory (for example, for other applications taking priority or getting in the foreground) the content is written to disk.
write_operations_per_second
integer
Write operations per second: The total number of write operation per second across all physical storage available on the device. Details: Useful for understanding the intensity of write operations that the workflow requires when moving workloads between physical devices or to virtual machines.
Windows
The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages.
hard_resets are punctual events.
hard_resets are associated to device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_hard_resets
integer
Number of hard resets: The number of hard resets.
time
datetime
Time: The date and time of the crash.
The table collecting the system crashes of the devices.
system_crashes are punctual events.
system_crashes are associated to device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
error_code
long
Error code: The error code for system crashes.
Windows
error_code_hexadecimal
string
Error code in hexadecimal: The hexadecimal error code for system crashes.
Windows
label
string
Label: The error label for system crashes.
Windows
number_of_system_crashes
integer
Number of system crashes: The number of system crashes.
time
datetime
Time: The date and time of the system crash.
Querying the DEX score table gives an overview of digital employee experience for all employees or a specific subset of employees. For example, you can query DEX scores for specific locations, devices with a specific operating system, and other parameters.
application_score
application_scores are punctual events.
application_scores are associated to device, user, application
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
node.score_impact
float
Score impact: The estimated decrease in technology score of a node of the application impact score structure. Use it with the field application_score.node.type to specify which node impact score you are targeting.
node.type
enumeration
Node type: The type of a node of the application score structure. Use it with the field application_score.node.value to specify which node you are targeting for the score computation. Details: The possible values are:
Page_loads: returns the page load score of an application,
Transactions: returns the transaction score of an application,
Web_reliability: returns the web reliability score of an application,
Crashes: returns the crash score of an application,
Freezes: returns the freeze score of an application,
Application: returns the score of an application.
Refer to the DEX score documentation for more information.
node.value
float
Node score: The score of a node of the application score structure. Use it with the field application_score.node.type to specify which node score you are targeting. Details: It is computed based on the metric corresponding to the application_score.node.type specified in the query:
Page_loads: based on the average value of the load time, for example field perceived_duration divided by field perceived_count ),
Transactions: based on the average value of the field transaction.duration ,
Web_reliability: based on the sum of web errors (field number_of_errors ),
Crashes: based on the sum of execution crashes (field number_of_crashes ),
Freezes: based on the sum of execution freezes (field number_of_freezes ),
Application: based on all the above metrics.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
score_computation_approximation
enumeration
Score computation approximation: This indicates whether an approximation related to the device or its context influenced the computation of the score. The possible values are:
unknown
none
multi_device
multi_context
When the device or context changes, this field will indicate that the score cannot be associated beyond the user to device and context. Details: Approximations may arise from scenarios such as user operating multiple devices at the same time or changes in the device context within an hour, such as change in location. See here for more information: FAQ
time
datetime
Time: The time of the DEX application score event.
A table of the DEX score.
scores are punctual events.
scores are associated to device, user
applications.score_impact
float
Applications score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
applications.value
float
Applications score: The Applications score is based on hard metrics around applications' performance and reliability.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.score_impact
float
Collaboration score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.teams_audio_quality_score_impact
float
Teams (collaboration) - audio quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.teams_audio_quality_value
float
Teams (collaboration) - audio quality score: The Teams audio quality score is based on the number of calls with poor audio quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The system computes the Teams audio quality score based on the count of virtual meeting events with poor audio quality. For example, the field audio.quality is equal to POOR. The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.teams_score_impact
float
Teams (collaboration) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.teams_value
float
Teams (collaboration) score: The Teams score is based on hard metrics around the video and audio quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.teams_video_quality_score_impact
float
Teams (collaboration) - video quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.teams_video_quality_value
float
Teams (collaboration) - video quality score: The Teams video quality score is based on the number of calls with poor video quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The system computes the Teams video quality score based on the count of virtual meeting events with poor video quality. For example, the field video.quality is equal to POOR. The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.value
float
Collaboration score: The Collaboration score is based on hard metrics around collaboration applications such as Zoom or Teams.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The value is be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.zoom_audio_quality_score_impact
float
Zoom (collaboration) - audio quality score impact: The Zoom audio quality score is based on the number of calls with poor audio quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The system computes the Zoom audio quality score based on the count of virtual meeting events with poor audio quality. For example, field audio.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.zoom_audio_quality_value
float
Zoom (collaboration) - audio quality score: The Zoom audio quality score is based on the number of calls with poor audio quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The system computes the Zoom audio quality score based on the count of virtual meeting events with poor audio quality. For example, field audio.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.zoom_score_impact
float
Zoom (collaboration) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.zoom_value
float
Zoom (collaboration) score: The Zoom score is based on hard metrics around video and audio quality.
The score represents the level of digital experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
collaboration.zoom_video_quality_score_impact
float
Zoom (collaboration) - video quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
collaboration.zoom_video_quality_value
float
Zoom (collaboration) - video quality score: The Zoom video quality score is based on the number of calls with poor video quality.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The system computes the Zoom video quality score based on the count of virtual meeting events with poor video quality. For example, field video.quality is equal to POOR.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
endpoint.CPU_interrupt_usage_score_impact
float
CPU interrupt usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
Windows
endpoint.CPU_interrupt_usage_value
float
CPU interrupt usage score: The CPU interrupt usage score is based on the amount of CPU interrupts over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU interrupt usage score based on the value of the field cpu_interrupt_usage, which is highlighted when applications compete for shared hardware CPU resources.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
Windows
endpoint.CPU_usage_score_impact
float
CPU usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.CPU_usage_value
float
CPU usage score: The CPU usage score is based on the amount of CPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU usage score based on the value of the field normalized_cpu_usage, which is the average percentage of the CPU usage across all logical cores.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.GPU_1_usage_score_impact
float
GPU 1 usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.GPU_1_usage_value
float
GPU 1 usage score: The GPU 1 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 1 usage score based on the value of the field gpu_1_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.GPU_2_usage_score_impact
float
GPU 2 usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.GPU_2_usage_value
float
GPU 2 usage score: The GPU 2 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 2 usage score based on the value of the field gpu_2_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.boot_speed_score_impact
float
Boot speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
Windows
endpoint.boot_speed_value
float
Boot speed score: The boot speed score is based on the duration of boot events. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the boot speed score based on the value of the field boot.duration , which is the time between powering on a device and the display of the sign-in screen.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
Windows
endpoint.device_performance_score_impact
float
Device performance score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.device_performance_value
float
Device performance score: The device performance score is based on hard metrics around CPU usage, GPU usage, memory usage, and system free space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.device_reliability_score_impact
float
Device reliability score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.device_reliability_value
float
Device reliability score: The Device reliability score is based on hard metrics regarding system crashes and hard resets.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.device_responsiveness_score_impact
float
Device responsiveness score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.device_responsiveness_value
float
Device responsiveness score: The Device responsiveness score is based on the delay between a user action (e.g., moving the mouse, pressing a key, etc.) and the OS acting upon it.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the amount of time per hour with noticeable input delay for the user (fields duration_with_high_user_input_delay, duration_with_medium_input_delay ).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.disk_queue_length_score_impact
float
Disk queue length score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
Windows
endpoint.disk_queue_length_value
float
Disk queue length score: The disk queue length score is based on the number of disk tasks waiting to be executed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the disk queue length score based on the value of the field disk_queue_length, which is the number of storage input and output tasks waiting to be executed on the system drive.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
Windows
endpoint.hard_reset_score_impact
float
Hard reset score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.hard_reset_value
float
Hard reset score: The Device responsiveness score is based on the number of hard resets.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the field number_of_hard_resets , which captures abrupt stops of a device caused by pressing the reset button, power failures or crashes.The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.logon_speed_score_impact
float
Logon speed impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
Windows
endpoint.logon_speed_value
float
Logon speed score: The Logon speed score is based on the duration of logon events.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the value of the field time_until_desktop_is_visible , which is the number of seconds between the user logging on and the desktop being shown.The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
Windows
endpoint.memory_swap_rate_score_impact
float
Memory swap rate score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.memory_swap_rate_value
float
Memory swap rate score: The memory swap rate score is based on the speed at which memory is written from RAM to the disk to free up memory. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap rate score based on the value of the field memory_swap_rate, which is the average speed at which memory is written to the swap file.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.memory_swap_size_score_impact
float
Memory swap size score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.memory_swap_size_value
float
Memory swap size score: The memory swap size score is based on the amount of space used by the operating system to move application data from RAM to the disk. A score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap size score based on the value of the field memory_swap_size, which is the average amount of disk space the operating system allocates to store the state of less frequently used applications from RAM to the disk.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.memory_usage_score_impact
float
Memory usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.memory_usage_value
float
Memory usage score: The memory usage score is based on the amount of RAM over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory usage score based on the value of the field free_memory divided by the value of the field installed_value, which measures the average percentage of free RAM.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.network_quality_score_impact
float
Network quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.network_quality_value
float
Network quality score: The network quality score is based on hard metrics around the Wi-Fi signal strength, download speed, and upload speed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.os_activation_score_impact
float
OS activation score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
Windows
endpoint.os_activation_value
float
OS activation score: The OS activation score is based on the number of devices used by the users that do not have an activated OS.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the count of devices operated by the user with a non-activated operating system (i.e., field operating_system.is_activated is equal to False).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
Windows
endpoint.score_impact
float
Endpoint score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_performance_score_impact
float
Software performance impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_performance_value
float
Software performance score: The Software performance score is based on hard metrics regarding software freezes occurring across the devices.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.software_performance_with_gui_score_impact
float
Software performance (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_performance_with_gui_value
float
Software performance (with GUI) score: The Software performance score is based on freezes of binaries with a Graphical User Interface.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the execution freezes (field number_of_freezes ) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.software_performance_without_gui_score_impact
float
Software performance (without GUI) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_performance_without_gui_value
float
Software performance (without GUI) score: The Software performance score is based on freezes of binaries without a Graphical User Interface.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the execution freezes (field number_of_freezes ) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.software_reliability_score_impact
float
Software reliability impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_reliability_value
float
Software reliability score: The Software reliability score is based on hard metrics regarding software crashes occurring across the device.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.software_reliability_with_gui_score_impact
float
Software reliability (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_reliability_with_gui_value
float
Software reliability (with GUI) score: The Software reliability score is based on crashes of binaries with a Graphical User Interface.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the execution crashes (field number_of_crashes ) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.software_reliability_without_gui_score_impact
float
Software reliability (without GUI) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.software_reliability_without_gui_value
float
Software reliability (without GUI) score: The Software reliability score is based on crashes of binaries without a Graphical User Interface.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the execution crashes (field number_of_crashes ) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.system_crash_score_impact
float
System crash score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.system_crash_value
float
System crash score: The Device responsiveness score is based on the number of system crashes.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the field number_of_system_crashes , which captures crashes of a device such as Blue Screen of Death (BSOD) on Windows.The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.system_free_space_score_impact
float
System free space score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.system_free_space_value
float
System free space score: The system free space score is based on the amount of free system disk space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the system free space score based on the value of the field system_drive_free_space, which is the amount of free space available on the system drive.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.value
float
Endpoint score: The Endpoint score is based on hard metrics focused on device performance and reliability.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.virtual_session_lag_score_impact
float
Virtual session lag impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.virtual_session_lag_value
float
Virtual session lag score: The Virtual session lag score is based on the network latency for virtual sessions.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: It is computed based on the value of the field average_network_latency , which measures the lag for virtual sessions.The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
endpoint.wifi_download_speed_score_impact
float
WiFi download speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.wifi_download_speed_value
float
WiFi download speed score: The Wi-Fi download speed score is based on the receiving rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi download speed score based on the value of the field receive_rate, which is the transmission rate of the Wi-Fi adapter. The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experience
The system computes it once per day and it is based on data from the last 7 days. Refer to the DEX score documentation for more information.
endpoint.wifi_signal_strength_score_impact
float
WiFi signal strength score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.wifi_signal_strength_value
float
WiFi signal strength score: The Wi-Fi signal strength score is based on the signal quality of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi signal strength score based on the value of the field signal_strength, which is the Wi-Fi signal strength or Received Signal Strength Indicator (RSSI).The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
endpoint.wifi_upload_speed_score_impact
float
WiFi upload speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.
endpoint.wifi_upload_speed_value
float
WiFi upload speed score: The Wi-Fi upload speed score is based on the transmission rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi upload speed score based on the value of the field transmission_rate, which is the transmission rate for the Wi-Fi adapter. The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experience
The system computes the value once per day and it is based on data from the last 7 days. Refer to the DEX score documentation for more information.
score_computation_approximation
enumeration
Score computation approximation: This indicates whether an approximation related to the device or its context influenced the computation of the score. The possible values are:
unknown
none
multi_device
multi_context
When the device or context changes, this field will indicate that the score cannot be associated beyond the user to device and context. Details: Approximations may arise from scenarios such as user operating multiple devices at the same time or changes in the device context within an hour, such as change in location. See here for more information: FAQ
sentiment.value
integer
Sentiment score: The Sentiment score is based on survey data collected via a sentiment campaign.
A score represents the level of satisfaction with IT.
Details: The value could be between 0 and 100 and corresponds to:
0-30: Dissatisfied employee
31-70: Not dissatisfied, nor satisfied employee
71-100: Satisfied employeeIt is computed once per day and is based on survey data from the last 30 days.
technology.value
float
Technology score: The Technology score is based on hard metrics for endpoints, applications, and collaboration solutions.
A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).
Details: The value could be between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.
time
datetime
Time: The time of the DEX metric.
value
float
DEX score: The Digital Employee Experience (DEX) score is based on hard metrics and soft metrics.
The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.
Details: The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and is based on data from the last 7 days.
Refer to the DEX score documentation for more information.
The execution namespace consists of two tables: crashes and events. The crashes table contains instances of executables crashing. The execution events table stores information about the performance of executables in 15-minute or 24-hour time blocks.
The table collecting crashes of a running process.
crashes are punctual events.
crashes are associated to binary, device, user, application
binary_path
string
Binary path: The path to the crashing binary.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
crash_on_start
bool
Crashed on start: Indicates if the binary crashed immediately after launch. Details: Yes if the process crashes within the first second.
number_of_crashes
integer
Number of crashes: The number of crashes of the same binary that happened within one minute. Details: Collector creates only one event if the same binary crashes multiple times within one minute.
time
datetime
Time: The date and time when the crash happened.
The table collecting performance metrics and attributes specific to a process execution.
events are sampled events.
events are associated to user, binary, device, application
bucket_duration
duration
Bucket duration: The duration of the bucket.
connection_establishment_time
duration
Connection establishment time: The average round trip time during TCP connection establishment. Requirements: TCP connections only Details: The average RTT for all established connections. The round trip time is measured between sending the SYN message and receiving the SYN-ACK message from the remote party during the TCP connection establishment (3-way handshake).
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
cpu_time
duration
CPU time: The sum of the CPU time of all the underlying processes during this bucket. Details: The CPU time can be much higher than the bucket duration as multiple processes can run in parallel on several CPU cores.
end_time
datetime
Bucket end: The end time of the bucket.
execution_duration
duration
Execution duration: The duration of the process in this bucket. Details: It represents the total time for which at least one instance of the process was running.
focus_time
duration
Focus time: The amount of time any window related to this execution was in focus. Details: A window is in 'focus' when it is selected to receive input from the user. Only one window has the focus at any point in time.
The focus time of all windows related to this execution is summed up to a maximum that equals the bucket duration.
incoming_throughput
float
Incoming throughput: The average download speed in Mbit/sec. Requirements: TCP connections only
incoming_traffic
bytes
Incoming traffic: The amount of application traffic received. Requirements: TCP connections only
memory
bytes
Memory used: The average memory in bytes. Details: This metric is based on the memory used by all processes running the same binary during this bucket.
When aggregating the data, the average is weighted with the execution duration.
number_of_established_connections
integer
Established connections: The number of connections that have been established in this bucket.
number_of_freezes
integer
Number of freezes: The number of execution freezes. Details: The sampling of unresponsive applications every 30 second might lead to missed execution freezes.
number_of_logical_processors
integer
Logical processors: The number of logical processors on the device. Details: Use this metric to calculate normalized CPU usage by dividing through the number of logical processors.
number_of_no_host_connections
integer
Failed connections - no host: The number of connections that failed because the device cannot reach the destination host. Requirements: TCP connections only Details: A connection fails with 'no host' when the destination host (remote party) does not acknowledge the TCP SYN message. For example, the remote party does not exist or a firewall blocks the connection request.
number_of_no_service_connections
integer
Failed connections - no service: The number of connections that failed because the device cannot reach the service on the destination host. Requirements: TCP connections only Details: A connection fails with 'no service' when the destination host (remote party) acknowledged the initial TCP SYN message by an RST message. For example, the remote party exists, but no service is bound to the request port.
Note that a firewall protects most personal computers and discards RST messages to prevent effective port scanning.
number_of_page_faults
long
Page faults: The total number of page faults. Details: A page fault happens, when a process tries to access a part of the memory that has not yet been loaded into memory. Page faults degrade the performance of the execution and the system.
Windows
number_of_rejected_connections
integer
Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: TCP connections only Details: The operating system of the device or a local firewall can reject an outgoing connection on the device.
number_of_stopped_processes
integer
Stopped processes: The total number of processes terminated without error.
outgoing_throughput
float
Outgoing throughput: The average upload speed in Mbit/sec.
outgoing_traffic
bytes
Outgoing traffic: The amount of application traffic sent. Details: This includes the traffic from all TCP and UDP connections.
primary_physical_adapter_type
enumeration
Network adapter type: The type of the primary physical network adapter at the time of this execution. Details: There are three types of physical network adapters: :
WiFi
Ethernet
Bluetooth
start_time
datetime
Bucket start: The start time of the bucket.
total_memory
bytes
Total memory: The total memory of the whole application in bytes. Requirements: Exclusive to Nexthink Infinity. Minimum Collector version: 2024.9 Details: This metric is only available for the process of the main binary (process_hierarchy == main_process). It is the sum of the memory used by all processes with the same main_binary during this bucket. When aggregating the data, the average is weighted with the execution duration.
The package namespace includes information about software products in their distributable form: applications and updates. In addition to the packages and installed_packages tables, it includes two event tables: installations and uninstallations.
A table of packages. A package is a group of files and executables that together constitute a software application.
first_seen
datetime
First seen: It represents the date and time the package was first detected on the Nexthink platform.
Windows macOS
name
string
Package name: The name of the packages as it is listed in the operating system. Details: The Nexthink platform scans for new packages once per hour. Installation and uninstallation events align with the hourly scans.
Windows macOS
parent_name
string
Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages.
Windows
platform
enumeration
Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:
Windows
macOS
Windows macOS
publisher
string
Package publisher: The name of the company that publishes the software.
Windows macOS
type
enumeration
Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:
Program
Update
Windows macOS
uid
uuid
Package UID: The numerical value that uniquely identifies a package on the Nexthink platform.
Windows macOS
version
string
Package version: The version of the package stored as a String. Details: The type is set as a string because the package version reported by the operating system is not always numerical. This contrasts with binary.version, which consistently follows the x.y.z.t format.
Windows macOS
A table of package installation events.
installations are punctual events.
installations are associated to package, device, user
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
time
datetime
Installation time: The time of the installation event.
A table of package uninstallation events.
uninstallations are punctual events.
uninstallations are associated to package, device, user
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
time
datetime
Uninstallation time: The time of the uninstallation event.
A table of all installed packages on all devices.
installed_packages are associated to device, user, package,
first_seen
datetime
First seen: It represents the date and time the package was first detected on the Nexthink platform.
Windows macOS
name
string
Package name: The name of the packages as it is listed in the operating system. Details: The Nexthink platform scans for new packages once per hour. Installation and uninstallation events align with the hourly scans.
Windows macOS
parent_name
string
Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages.
Windows
platform
enumeration
Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:
Windows
macOS
Windows macOS
publisher
string
Package publisher: The name of the company that publishes the software.
Windows macOS
type
enumeration
Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:
Program
Update
Windows macOS
uid
uuid
Package UID: The numerical value that uniquely identifies a package on the Nexthink platform.
Windows macOS
version
string
Package version: The version of the package stored as a String. Details: The type is set as a string because the package version reported by the operating system is not always numerical. This contrasts with binary.version, which consistently follows the x.y.z.t format.
Windows macOS
The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'
The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'
audit_logs are punctual events.
account
string
Account: The name of the account or the API credentials that triggered the action.
category
enumeration
Category: The category of the event (e.g., "login" for all events related to authentication).
code
numeric
Code: The code that identifies the event. Please refer to the audit documentation for more details.
message
string
Message: The full audit event message.
time
datetime
Time: The timestamp of the event.
The list of all logs associated to custom trends computations. Requires permission 'View platform logs in NQL'.
custom_trends_logs are punctual events.
details
jsonType
Details: Custom Trends log details.
status
enumeration
Status: The status of the custom trend execution.
time
datetime
Time: The timestamp of the event.
data_export_log
data_export_logs are punctual events.
details
jsonType
Details: Data Export log details.
status
enumeration
Status: The status of the data export execution.
time
datetime
Time: The timestamp of the event.
The remote action namespace consists of tables giving details about remote actions, including the configuration data and the remote action executions. Nexthink Remote Actions allows you to execute small scripts on employee devices. It provides several opportunities for the prevention and remediation of employee issues and for gathering additional information from endpoints running Nexthink Collector.
The table of defined remote actions.
name
string
Name: The name of the remote action. Details: User defined friendly name created through the remote action configuration page. The name of the remote action can be changed after creation and should not be considered as a unique identifier.
nql_id
string
NQL ID: The unique identifier of a remote action. Details: The NQL ID cannot be changed after the initial creation.
source
enumeration
Remote action source: It represents the platform that was used to create the remote action. Details: Possible values:
cloud
finder
Note that cloud references Nexthink Infinity.
The table collecting the executed remote actions.
executions are punctual events.
executions are associated to device, remote_action
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
external_reference
string
External reference: An identifier of the external web application record in reference to which the remote action was executed. Details: The field could contain the values such as the ticket identifier of the ITSM ticket.
external_source
string
External source: Name of the external system, outside of Nexthink, from where the remote action was triggered. Details: External source contains the name of the external system which either used Nexthink product or directly the API to trigger the remote action.
inputs
string
Inputs: A list of the inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point it was triggered. These inputs are used by the remote action to influence how it behaves.
internal_source
string
Internal source: Displays the name of the feature from which the remote action was triggered. Possible values: Amplify, Workflow, Investigation, Device view, or blank for no value.
message_uuid
string
Message UUID: The unique identifier of the remote action execution. Details: The message UUID is used to identify a single remote action execution and is generated when a remote action is triggered.
number_of_executions
long
Number of executions: The number of times the remote execution attempted to run on the device.
outputs
string
Outputs: A list of outputs collected by the remote action execution.
purpose
enumeration
Purpose: The purpose of the remote action defined in the configuration. Details: The purpose is part of the remote action configuration and describes whether the remote action is collecting data, remediating an issue or performing both functions. Possible values:
data_collection
remediation
both
request_id
string
Request ID: The unique identifier for the request that created this remote action execution. Details: The request ID is generated and linked to individual remote action executions when a remote action is triggered against one or multiple devices. This field can be used as a method of grouping remote action executions
request_time
datetime
Request time: The date and time when the remote action execution was triggered.
status
enumeration
Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not. Possible values:
in_progress
expired
failure
success
no_script
cancelled
old_collector
waiting_on_device
status_details
string
Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit codes from the remote action.
time
datetime
Time: The date and time the remote action execution was last updated.
trigger_method
enumeration
Trigger method: Displays the mode of trigger used to start the remote action execution. Details: Possible values:
manual: the remote action is executed on manually selected devices
automatic: the remote action is executed on a recurring basis based on a centrally-managed schedule
automatic_local_schedule: the remote action is executed on a recurring basis based on a schedule on the endpoint
API: the remote action is executed programmatically using the Remote Actions API on selected devices
workflow: the remote action is executed as part of a Nexthink workflow
The table collecting the trend of executed remote actions.
executions_summary are sampled events.
executions_summary are associated to remote_action
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
inputs
string
Inputs: A list of inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point that it was triggered. These inputs are used by the remote action to influence how it behaves.
number_of_executions
long
Number of executions: The number of times the remote execution attempted to run on the device.
purpose
enumeration
Purpose: The purpose of the remote action defined in the configuration. Details: The purpose is part of the remote action configuration and describes whether the remote action is collecting data, remediating an issue or performing both functions. Possible values:
data_collection
remediation
both
status
enumeration
Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not. Possible values:
in_progress
expired
failure
success
no_script
cancelled
old_collector
waiting_on_device
status_details
string
Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit code that came back from the remote action.
time
datetime
Time: The date and time when the remote action execution was last updated.
trigger_method
enumeration
Trigger method: The trigger used to start the remote action execution. Details: Possible values:
null
automatic
api
manual
The service namespace is an inventory of critical system components and specialised applications that run in the background on user devices. It allows for efficient status and/or configuration tracking and optimisation to ensure system reliability and security. Please note: This feature is exclusive to Nexthink Infinity.
A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction
arguments
string
Arguments: Parameters used for launching the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in arguments might be replaced with ellipses to correlate the same services better. Similarly, paths present in arguments might get tokenised. Eg. they can be matched with same binary paths captured for execution crashes.
Windows
dependency_of
jsonArrayString
Dependency of: List of other services and drivers that depend on this service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service.
Windows
depends_on
jsonArrayString
Depends on: List of services and drivers that the given service depends on. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service.
Windows
description
string
Description: Purpose of the the service as stated by the developer. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence.
Windows
display_name
string
Display name: User friendly name of the service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence.
Windows
module_path
string
Module path: dll module loaded by the main executable. Requirements: Exclusive to Nexthink Infinity.
Windows
name
string
Name: Short name of the Service used for identification. Requirements: Exclusive to Nexthink Infinity.
Windows
path
string
Path: Location of the binary that is executed for the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in the path might be replaced with ellipses to correlate the same services better.
Windows
uid
uuid
Service UID: It represents a numerical value that uniquely identifies a service on the Nexthink platform.
Windows
Timeline of events when an attribute of an existing service has changed on a device. The attributes tracked by these events are the same as in the installed_services table. Eg. logon_as & startup_type.
changes are punctual events.
changes are associated to service, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
field
enumeration
Field: Name of the attribute of the related service that has changed. Requirements: Exclusive to Nexthink Infinity.
Windows
new_value
string
New value: New value of the field that has changed. Requirements: Exclusive to Nexthink Infinity.
Windows
old_value
string
Old value: Previous value of the field that has changed. Requirements: Exclusive to Nexthink Infinity.
Windows
time
datetime
Time: When the change of the value was detected.
Windows
Punctual event, indicating when an service was added or removed to a particular device.
installations are punctual events.
installations are associated to service, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
event_type
enumeration
Installation type: Indicates if the service was installed or uninstalled. (install, uninstall) Requirements: Exclusive to Nexthink Infinity
Windows
time
datetime
Time: When the item was detected to be added or removed.
Windows
A table of all installed services on all devices.
installed_services are associated to device, service,
first_seen
datetime
Service first seen: Service first seen on the given device. Requirements: Exclusive to Nexthink Infinity.
Windows
last_updated
datetime
Service info last updated: When was the last change of the service captured on the given device. Requirements: Exclusive to Nexthink Infinity.
Windows
logon_as
string
Service logs on as: Either one of the main 4 options (Local System, Local Service, Network Service, Per user) or an explicit user. Requirements: Exclusive to Nexthink Infinity. Details: The "per user" startup-type is specific to so called per-user services that are run on user login, for the specific user, in their own session.
Windows
startup_type
enumeration
Service startup type: The startup type (Automatic, Manual, Disabled, or Delayed) defines how and when a Windows service initiates its operation. Requirements: Exclusive to Nexthink Infinity. Details: Automatically started services are launched after the device was booted, while Delayed ones usually wait 120s after the last Automatic service has been started. (Delay period is configurable.) Manual services are launched on-demand.
Windows
The session namespace consists of several events tables related to a user session on a device. The session events table contains all sampled metrics in 15-minute and 24-hour buckets. The others are punctual events linked to a session.
The table collecting connections linked to user sessions.
connects are punctual events.
connects are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_connects
integer
Number of connects: The number of session connects.
session_uid
string
Session UID: The session UID.
time
datetime
Time: The date and time of the connection.
The table collecting disconnections linked to user sessions.
disconnects are punctual events.
disconnects are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_disconnects
integer
Number of disconnects: The number of session disconnects.
session_uid
string
Session UID: The session UID.
time
datetime
Time: The date and time of the disconnect.
The table collecting performance metrics and attributes specific to both local and remote sessions.
events are sampled events.
events are associated to user, device
average_network_latency
duration
Average network latency: It indicates how long it took on average for remote access protocol packets to travel from the endpoint to the virtual desktop and back. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine.
Windows
average_rtt
duration
Average RTT: It indicates how long it took on average for the virtual desktop to respond to the user input. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate network connections. Otherwise, start investigating the performance of the virtual desktops.
Windows
bucket_duration
duration
Bucket duration: It represents the timespan over which the metrics were measured and aggregated.
client_ip
ipAddress
Client IP address: The IP address of the device used to access the remote virtual desktop. Requirements: This value is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Note that some modern desktop virtualization solutions no longer support this value due to security and network routing restrictions.
Windows
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration_with_high_user_input_delay
duration
Duration with high user input delay: The amount of time the session took longer than 200 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022.
Windows
duration_with_medium_user_input_delay
duration
Duration with medium user input delay: The amount of time the session took longer than 100 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022.
Windows
end_time
datetime
Bucket end: It represents the date and time at which the data collection ended for the given timespan.
max_network_latency
duration
Maximum network latency: The maximum amount of time it took for the remote access protocol packets to travel from the endpoint to the virtual desktop and back. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine.
Windows
max_rtt
duration
Maximum RTT: The maximum amount of time it took for the virtual desktop to respond to a user input. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector to be installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate the network connections. Otherwise, start investigating the performance of the virtual desktops.
Windows
protocol
enumeration
Protocol: The remote access protocol used to connect to the session. The possible values are:
Citrix - ICA
VMware - Blast
VMware - PCOIP
RDP
Local session
Amazon PCOIP
session_id
long
Session ID: A temporary identifier which is assigned to each user session on a Windows computer. On a macOS device, the session ID represents the program ID of the process that is hosting the session. Details: Typically, only one interactive user is present on a Windows device at any given time. On a virtual desktop, many users may be interacting with the device at the same time. Each user session will get a unique ID assigned when the user logs in. The ID stays with that session until the user logs off. After that, the session ID will be reused for the next user who logs in. Beware that the session ID cannot be used to uniquely identify sessions on the Nexthink platform.
session_uid
string
Session UID: The unique identifier of a session on the Nexthink platform.
start_time
datetime
Bucket start: The start time of the bucket.
user_interaction_time
duration
Interaction time: The time that the user was actively interacting with the session. Details: Collector gathers information when and how long the user was interacting with the computer with the help of a keyboard or a pointing devices. The sum of these interactive periods are reported as a duration.
The table collecting all events linked to user sessions.
lifecycle_events are punctual events.
lifecycle_events are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_lifecycle_events
integer
Number of events: The number of session events.
session_uid
string
Session UID: The session UID
time
datetime
Time: The date and time of the lifecycle event.
type
enumeration
Lifecycle event type: The type of lifecycle event. Possible values are:
login
logout
lock
unlock
connect
disconnect
Details: The connect and disconnect events refer to Microsoft Windows' WTSConnected, WTSDisconnected functions. This means that there will be a connection event without a corresponding login event when a user attempts to remotely access a device and establishes a connection but does not finish authentication.
The table collecting locks linked to the user sessions.
locks are punctual events.
locks are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_locks
integer
Number of locks: The number of session locks.
session_uid
string
Session UID: The session UID
time
datetime
Time: The date and time of the lock event.
The table collecting all session logins.
logins are punctual events.
logins are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_logins
integer
Number of logins: The number of logins.
session_uid
string
Session UID: The session UUID
time
datetime
Time: The date and time of the login.
time_until_desktop_is_ready
duration
Time until desktop ready: The number of seconds between the user login and the device is ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.
Windows
time_until_desktop_is_visible
duration
Time until desktop visible: The number of seconds between the last user login and the time the desktop appears.
Windows
The table collecting all session logouts.
logouts are punctual events.
logouts are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_logouts
integer
Number of logouts: The number of logouts.
session_uid
string
Session UID: The session UUID
time
datetime
Time: The date and time of the logout.
The table collecting unlocks linked to user sessions.
unlocks are punctual events.
unlocks are associated to user, device
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
number_of_unlocks
integer
Number of unlocks: The number of session unlocks.
session_uid
string
Session UID: The session UID.
time
datetime
Time: The date and time of the unlock event.
The software metering namespace contains a table that stores software usage to optimize licenses across an organization. This data is collected for the software meters configured in the system.
meter_configuration
description
string
Description: The description of a software meter configuration. Details: User-defined through Software metering configuration interface.
The description of the software meter can be changed after creation.
license_type
enumeration
License type: The type of licensing model for the configured software meter. It could be: User-based or Device-based. Details: User-defined through Software metering configuration interface.
The license type of the software meter can be changed after creation.
name
string
Name: The name of a software meter configuration. Details: User-defined through Software metering configuration interface.
Software meter configurations are based on Application Objects
The name of the software meter can be changed after creation and should not be used as a unique identifier.
nql_id
string
NQL ID: The unique identifier of a software meter configuration. Details: NQL ID cannot be changed after initial creation.
event
events are punctual events.
events are associated to device, user, application, meter_configuration
context.location_geo_ip.country
string
Country location: The country in which the device is located at the time of the event.
context.location_geo_ip.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location_geo_ip.state
string
Country subdivision location: The state in which the device is located at the time of the event.
context.location_geo_ip.type
string
Type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
desktop_execution_duration
duration
Execution duration - Desktop: Execution duration of Desktop part. Requirements: The configured software meter should have a desktop part to be populated.
desktop_focus_time
duration
Focus time - Desktop: The amount of time when any window of the software's executables was in focus. Requirements:
Focus time needs to be enabled. The system disables it by default.
It applies only to software meters that include a desktop application.
end_time
datetime
Bucket end: The end time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC.
start_time
datetime
Bucket start: The start time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC.
web_focus_time
duration
Focus time - Web: The amount of time when a browser tab is running the software and has the focus. Requirements:
Web usage time needs to be enabled. The system enables it by default.
The configured software meter should have a web part to be populated.
How to enable web usage time metric Details: It is collected via the Nexthink browser plugin.
web_is_used
bool
Webpart usage indicator: It indicates if the user accessed the URLs of the software. It should be used in case Web usage time is disabled for web applications. Details: It is collected via the Nexthink Browser plugin.
The web namespace contains tables that store events, errors, page views and transactions that occur in the business-critical services defined in the tables of the application namespace.
The table collecting errors of defined business-critical services.
errors are sampled events.
errors are associated to binary, device, user, application, page
adapter_type
enumeration
Adapter type: The type of adapter used when the error occurred. Possible values are:
WiFi
Ethernet
Bluetooth
Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
bucket_duration
duration
Bucket duration: The duration of the bucket.
code
integer
Error code: The extended HTTP response status. This is a numerical field denoting the code associated with the error, for example, 404, 401, 601. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
end_time
datetime
Bucket end: The end time of the bucket.
label
string
Error label: The error message as reported by the browser. The web browser reports a wide range of error types that the Nexthink browser extension catches and reports to the Nexthink instance, for example, HTTP 404, net::ERR_TIMED_OUT. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
number_of_errors
integer
Number of errors: The number of web errors recorded within the time bucket. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
start_time
datetime
Bucket start: The start time of the bucket.
url
string
URL: The navigation URL recorded when the error event happened. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
The table collecting errors of defined business-critical services up to 90d
errors_summary are sampled events.
errors_summary are associated to application, page
adapter_type
enumeration
Adapter type: The type of adapter used when the error occurred. Possible values are:
WiFi
Ethernet
Bluetooth
Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
bucket_duration
duration
Bucket duration: The duration of the bucket.
code
integer
Error code: The extended HTTP response status. This is a numerical field denoting the code associated with the error, for example, 404, 401, 601. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
end_time
datetime
Bucket end: The end time of the bucket.
label
string
Error label: The error message as reported by the browser. The web browser reports a wide range of error types that the Nexthink browser extension catches and reports to the Nexthink instance, for example, HTTP 404, net::ERR_TIMED_OUT. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
number_of_errors
integer
Number of errors: The number of web errors recorded within the time bucket. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
start_time
datetime
Bucket start: The start time of the bucket.
The table collecting events of defined business-critical services.
events are sampled events.
events are associated to binary, device, user, application, page
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Usage time: The time spent using the application or key page. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.. Details: The usage time includes both page load time and the time the employee is not interacting with the page at all, as long as the tab is focused. More info from the documentation
end_time
datetime
Bucket end: The end time of the bucket.
start_time
datetime
Bucket start: The start time of the bucket.
The table collecting events of defined business-critical services up to 90d
events_summary are sampled events.
events_summary are associated to application, page
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Usage time: The time spent using the application or key page. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.. Details: The usage time includes both page load time and the time the employee is not interacting with the page at all, as long as the tab is focused. More info from the documentation
end_time
datetime
Bucket end: The end time of the bucket.
start_time
datetime
Bucket start: The start time of the bucket.
Table collecting page views of defined business-critical services.
page_views are sampled events.
page_views are associated to binary, device, user, application, page
adapter_type
enumeration
Adapter type: The type of adapter used when the navigation occurred. Possible values are:
WiFi
Ethernet
Bluetooth
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
detailed_page_load_time.connect
duration
Connect time: The time spent establishing TCP connection, including secure socket connection, if performed. The connect time metric provides insights into the latency and performance of the connection establishment process. That metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that this metric is not measured for every page view event or subsequent requests within a single browsing session. Once the TCP connection is established, subsequent requests can reuse the existing connection, which eliminates the need for the TCP handshake and reduces the overall latency. More info from the documentation
detailed_page_load_time.dom_content_loading
duration
DOM loaded time: The time it took for a webpage to finish creating its visual structure, known as the render tree. It starts when the necessary styles for the page, known as the CSS Object Model, are ready. The 'DOMContentLoaded' event is triggered before the complete loading of external resources such as images, stylesheets, and scripts. This means that once this event is completed, critical functionality and interactivity become available to users, even if additional resources are still loading in the background. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The timing metric associated with the 'DOMContentLoaded' event includes two properties: 'domContentLoadedEventStart' and 'domContentLoadedEventEnd.' These properties represent the start and end times of the render tree creation process. Optimizing the 'DOMContentLoaded' event can significantly improve the perceived performance of a webpage. Techniques to enhance this metric include minimizing render-blocking resources, lazy loading non-critical resources, optimizing JavaScript execution, and implementing resource caching. More info from the documentation
detailed_page_load_time.dom_processing
duration
DOM processing time: The time it takes for a webpage to finish building its structure and become fully interactive. This process is called constructing the Document Object Model (DOM).This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The complete state, represented by the 'domComplete' property, marks the point when the browser has fully constructed the DOM tree, including any dynamically generated or modified elements. It signifies the completion of the DOM processing phase. Optimizing DOM processing involves techniques like optimizing HTML structure, reducing DOM complexity, optimizing external resources, and improving JavaScript execution. Faster DOM processing leads to quicker rendering and interactivity, enhancing the overall user experience. More info from the documentation
detailed_page_load_time.domain_lookup
duration
DNS lookup time: The time spent on DNS resolution, for example, the time between the browser starting to resolve the domain name and when the resolution is complete. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that the this metric is not measured for every request. It is typically measured once per browsing session or connection. More info from the documentation
detailed_page_load_time.load_event
duration
Load event time: The time spent on the page load event. The load event is fired when all resources, including images, scripts, stylesheets, and subframes, have finished loading, and the webpage is fully rendered and ready for user interaction. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When you visit a webpage, the browser needs to download and process various resources like images, scripts, stylesheets, and other elements. The 'loadEventStart' property indicates the point when the browser begins loading these resources.The 'loadEventEnd' property, on the other hand, represents the moment when the webpage has finished loading all the necessary resources and is fully displayed on the screen, ready for you to use. If the load event takes a long time to complete, it could indicate issues such as slow server response, large resource sizes, excessive JavaScript execution, or inefficient resource loading strategies. More info from the documentation
detailed_page_load_time.redirect
duration
Redirect time: The time spent on page redirections. If there are any redirects involved in the navigation, these properties indicate the start and end times of the redirect process. They measure the time taken to complete any HTTP redirects, which occur when a server responds to a request with a redirection status code. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Redirects could happen, for example, when a website has changed its URL or when certain content has been moved. More info from the documentation
detailed_page_load_time.request
duration
Request time: The time it takes to wait for the first byte of the document response. This is the time between when the browser starts requesting the document from the server, and when the browser receives the first by of the response from the server. This metric is the only contributor to the 'backend time' metric. Backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries, or server overload. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.response
duration
Response time: The elapsed time between the first and last bytes of the response. It measures the efficiency of network communication and contributes to the 'network time' metric. Optimizing response time involves minimizing network latency, using data compression, implementing caching mechanisms, and reducing round trips. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.secure_connection
duration
TLS time: The time it takes to establish a secure socket connection (TLS handshake) between the browser and the webserver. This metric represents a part of the connection metric. Note that the this metric is not measured for every page view event or subsequent requests within a single browsing session. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.unload_event
duration
Unload event time: The time spent on the page unload event. An unload event is triggered when the user navigates away from the page or when the page is reloaded. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
domains_contacted
integer
Number of domains contacted: It indicates the number of unique domain names from which various resources (such as images, scripts, stylesheets, fonts, etc.) are being fetched. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: This metric indicates the level of domain diversity in terms of resource retrieval during the loading process of a web page. These domains can include the application's own domain, as well as domains for third-party resources like analytics scripts, ads, content delivery networks (CDNs), and more. Each unique domain contacted represents a separate server from which the browser needs to fetch resources, and this can impact overall page load times.
end_time
datetime
Bucket end: The date and time of the bucket end.
experience_level
enumeration
Experience level: The user experience level of a navigation evaluated by the extension, based on the defined thresholds. Possible values are:
good
average
frustrating
Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the application configuration menu. More info from the documentation
is_soft_navigation
bool
Soft navigation: It indicates whether a navigation is a hard navigation or soft navigation. Soft navigations refer to navigations within a single-page application, where the browser does not load a new page, as opposed to hard navigations where a webpage is initially loaded. Note that soft navigations are not collected by default and should be enabled on a per-application basis. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
largest_resource_load_time
duration
Largest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: When a user's browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through 'Performance Resource Timing' API.
largest_resource_size
bytes
Size of the largest resource: The size of the largest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.
largest_resource_type
string
Type of the largest resource: The type of the largest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.
largest_resource_url
string
URL of the largest resource: It indicates the URL of the largest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.
longest_resource_load_time
duration
Longest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. If a specific resource takes a significantly longer time to load compared to others, it may affect the overall loading speed of your web application. Note that a page can be perceived as loaded even though some of the resources are being loaded in the background. For hard navigation measurements, we use "Navigation Timings API", which reports page load times for the main document. This is why, for some hard navigations, you can see an overall page load time reported to be shorter than the "longest resource load time". This metric is collected through the "Performance Resource Timing" API.
longest_resource_size
bytes
Size of the longest resource: The size of the longest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.
longest_resource_type
string
Type of the longest resource: The type of the longest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.
longest_resource_url
string
URL of the longest resource: It indicates the URL of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.
number_of_active_tabs
long
Number of active tabs: It indicates the number of open and active tabs of a browser. Users may experience web application slowness if this value is too large. This measurement is collected for every navigation and transaction event. Note that browsers offload or deactivate certain tabs over time to save memory. This metric presents the active tabs on a browser that are not offloaded or deactivated. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
number_of_large_resources
integer
Number of large resources: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that are larger than 100KB, during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When a browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through "Performance Resource Timing" API.
number_of_page_views
integer
Number of page views: The number of page views that took place within the time bucket. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser.
number_of_resource_errors
integer
Number of resource errors: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that failed to load or encountered errors during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Resource errors can indicate that some files or assets are missing from the web application. This may result in broken links, missing images, or non-functional scripts. This metric is collected through the "Performance Resource Timing" API.
number_of_resources
integer
Number of resources: It indicates the total number of resources (such as images, scripts, stylesheets, or other files) loaded during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The more resources a web page has, the longer it may take to load and render in the browser. By analyzing the number of resources, you can identify opportunities to optimize the performance of your web application. For example, you might consider minimizing or combining CSS and JavaScript files, compressing images, or using caching techniques to reduce the number of requests made to the server. This metric is collected through the "Performance Resource Timing" API.
page_load_time.backend
duration
Backend time: The estimated time spent on the backend side during a navigation. The backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries or server overload. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
page_load_time.client
duration
Client time: The time taken by the client-side application, running on the device, to respond. It represents the portion of the total page load time that is not spent on network and backend, for example 'Client time' is 'Total page load time' minus 'Backend time' and 'Network time'. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long client time can indicate issues such as slow rendering of page elements, excessive JavaScript processing, inefficient CSS styling or device/OS processing other tasks. More info from the documentation
page_load_time.network
duration
Network time: The time it takes for a web request to travel over the network from client device to the server and for the server response to travel back. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long network time can indicate issues such as network congestion, poor server performance, or geographical distance between the server and the client. It is important to note that the network time can also be impacted by the size and complexity of the web page being loaded, as well as the geographical location of the server and the client device. More info from the documentation
page_load_time.overall
duration
Page load time: It indicates the time taken by a page to load. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
response_size
bytes
Response size: The size of the HTTP response.
start_time
datetime
Bucket start: The date and time of the bucket start.
url
string
URL: The navigation URL recorded when the page view event took place.
Table collecting page views of defined business-critical services up to 90d
page_views_summary are sampled events.
page_views_summary are associated to application, page
adapter_type
enumeration
Adapter type: The type of adapter used when the navigation occurred. Possible values are:
WiFi
Ethernet
Bluetooth
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
detailed_page_load_time.connect
duration
Connect time: The time spent establishing TCP connection, including secure socket connection, if performed. The connect time metric provides insights into the latency and performance of the connection establishment process. That metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that this metric is not measured for every page view event or subsequent requests within a single browsing session. Once the TCP connection is established, subsequent requests can reuse the existing connection, which eliminates the need for the TCP handshake and reduces the overall latency. More info from the documentation
detailed_page_load_time.dom_content_loading
duration
DOM loaded time: The time it took for a webpage to finish creating its visual structure, known as the render tree. It starts when the necessary styles for the page, known as the CSS Object Model, are ready. The 'DOMContentLoaded' event is triggered before the complete loading of external resources such as images, stylesheets, and scripts. This means that once this event is completed, critical functionality and interactivity become available to users, even if additional resources are still loading in the background. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The timing metric associated with the 'DOMContentLoaded' event includes two properties: 'domContentLoadedEventStart' and 'domContentLoadedEventEnd.' These properties represent the start and end times of the render tree creation process. Optimizing the 'DOMContentLoaded' event can significantly improve the perceived performance of a webpage. Techniques to enhance this metric include minimizing render-blocking resources, lazy loading non-critical resources, optimizing JavaScript execution, and implementing resource caching. More info from the documentation
detailed_page_load_time.dom_processing
duration
DOM processing time: The time it takes for a webpage to finish building its structure and become fully interactive. This process is called constructing the Document Object Model (DOM).This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The complete state, represented by the 'domComplete' property, marks the point when the browser has fully constructed the DOM tree, including any dynamically generated or modified elements. It signifies the completion of the DOM processing phase. Optimizing DOM processing involves techniques like optimizing HTML structure, reducing DOM complexity, optimizing external resources, and improving JavaScript execution. Faster DOM processing leads to quicker rendering and interactivity, enhancing the overall user experience. More info from the documentation
detailed_page_load_time.domain_lookup
duration
DNS lookup time: The time spent on DNS resolution, for example, the time between the browser starting to resolve the domain name and when the resolution is complete. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that the this metric is not measured for every request. It is typically measured once per browsing session or connection. More info from the documentation
detailed_page_load_time.load_event
duration
Load event time: The time spent on the page load event. The load event is fired when all resources, including images, scripts, stylesheets, and subframes, have finished loading, and the webpage is fully rendered and ready for user interaction. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When you visit a webpage, the browser needs to download and process various resources like images, scripts, stylesheets, and other elements. The 'loadEventStart' property indicates the point when the browser begins loading these resources.The 'loadEventEnd' property, on the other hand, represents the moment when the webpage has finished loading all the necessary resources and is fully displayed on the screen, ready for you to use. If the load event takes a long time to complete, it could indicate issues such as slow server response, large resource sizes, excessive JavaScript execution, or inefficient resource loading strategies. More info from the documentation
detailed_page_load_time.redirect
duration
Redirect time: The time spent on page redirections. If there are any redirects involved in the navigation, these properties indicate the start and end times of the redirect process. They measure the time taken to complete any HTTP redirects, which occur when a server responds to a request with a redirection status code. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Redirects could happen, for example, when a website has changed its URL or when certain content has been moved. More info from the documentation
detailed_page_load_time.request
duration
Request time: The time it takes to wait for the first byte of the document response. This is the time between when the browser starts requesting the document from the server, and when the browser receives the first by of the response from the server. This metric is the only contributor to the 'backend time' metric. Backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries, or server overload. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.response
duration
Response time: The elapsed time between the first and last bytes of the response. It measures the efficiency of network communication and contributes to the 'network time' metric. Optimizing response time involves minimizing network latency, using data compression, implementing caching mechanisms, and reducing round trips. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.secure_connection
duration
TLS time: The time it takes to establish a secure socket connection (TLS handshake) between the browser and the webserver. This metric represents a part of the connection metric. Note that the this metric is not measured for every page view event or subsequent requests within a single browsing session. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
detailed_page_load_time.unload_event
duration
Unload event time: The time spent on the page unload event. An unload event is triggered when the user navigates away from the page or when the page is reloaded. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
domains_contacted
integer
Number of domains contacted: It indicates the number of unique domain names from which various resources (such as images, scripts, stylesheets, fonts, etc.) are being fetched. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: This metric indicates the level of domain diversity in terms of resource retrieval during the loading process of a web page. These domains can include the application's own domain, as well as domains for third-party resources like analytics scripts, ads, content delivery networks (CDNs), and more. Each unique domain contacted represents a separate server from which the browser needs to fetch resources, and this can impact overall page load times.
end_time
datetime
Bucket end: The date and time of the bucket end.
experience_level
enumeration
Experience level: The user experience level of a navigation evaluated by the extension, based on the defined thresholds. Possible values are:
good
average
frustrating
Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the application configuration menu. More info from the documentation
is_soft_navigation
bool
Soft navigation: It indicates whether a navigation is a hard navigation or soft navigation. Soft navigations refer to navigations within a single-page application, where the browser does not load a new page, as opposed to hard navigations where a webpage is initially loaded. Note that soft navigations are not collected by default and should be enabled on a per-application basis. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
largest_resource_load_time
duration
Largest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: When a user's browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through 'Performance Resource Timing' API.
largest_resource_size
bytes
Size of the largest resource: The size of the largest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.
largest_resource_type
string
Type of the largest resource: The type of the largest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.
largest_resource_url
string
URL of the largest resource: It indicates the URL of the largest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.
longest_resource_load_time
duration
Longest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. If a specific resource takes a significantly longer time to load compared to others, it may affect the overall loading speed of your web application. Note that a page can be perceived as loaded even though some of the resources are being loaded in the background. For hard navigation measurements, we use "Navigation Timings API", which reports page load times for the main document. This is why, for some hard navigations, you can see an overall page load time reported to be shorter than the "longest resource load time". This metric is collected through the "Performance Resource Timing" API.
longest_resource_size
bytes
Size of the longest resource: The size of the longest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.
longest_resource_type
string
Type of the longest resource: The type of the longest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.
longest_resource_url
string
URL of the longest resource: It indicates the URL of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.
number_of_active_tabs
long
Number of active tabs: It indicates the number of open and active tabs of a browser. Users may experience web application slowness if this value is too large. This measurement is collected for every navigation and transaction event. Note that browsers offload or deactivate certain tabs over time to save memory. This metric presents the active tabs on a browser that are not offloaded or deactivated. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
number_of_large_resources
integer
Number of large resources: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that are larger than 100KB, during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When a browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through "Performance Resource Timing" API.
number_of_page_views
integer
Number of page views: The number of page views that took place within the time bucket. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser.
number_of_resource_errors
integer
Number of resource errors: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that failed to load or encountered errors during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Resource errors can indicate that some files or assets are missing from the web application. This may result in broken links, missing images, or non-functional scripts. This metric is collected through the "Performance Resource Timing" API.
number_of_resources
integer
Number of resources: It indicates the total number of resources (such as images, scripts, stylesheets, or other files) loaded during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The more resources a web page has, the longer it may take to load and render in the browser. By analyzing the number of resources, you can identify opportunities to optimize the performance of your web application. For example, you might consider minimizing or combining CSS and JavaScript files, compressing images, or using caching techniques to reduce the number of requests made to the server. This metric is collected through the "Performance Resource Timing" API.
page_load_time.backend
duration
Backend time: The estimated time spent on the backend side during a navigation. The backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries or server overload. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation
page_load_time.client
duration
Client time: The time taken by the client-side application, running on the device, to respond. It represents the portion of the total page load time that is not spent on network and backend, for example 'Client time' is 'Total page load time' minus 'Backend time' and 'Network time'. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long client time can indicate issues such as slow rendering of page elements, excessive JavaScript processing, inefficient CSS styling or device/OS processing other tasks. More info from the documentation
page_load_time.network
duration
Network time: The time it takes for a web request to travel over the network from client device to the server and for the server response to travel back. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long network time can indicate issues such as network congestion, poor server performance, or geographical distance between the server and the client. It is important to note that the network time can also be impacted by the size and complexity of the web page being loaded, as well as the geographical location of the server and the client device. More info from the documentation
page_load_time.overall
duration
Page load time: It indicates the time taken by a page to load. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.
response_size
bytes
Response size: The size of the HTTP response.
start_time
datetime
Bucket start: The date and time of the bucket start.
The table collecting transactions of defined business-critical services.
transactions are sampled events.
transactions are associated to binary, device, user, application, transaction
adapter_type
enumeration
Adapter type: The type of adapter used when the transaction occurred. Possible values are:
WiFi
Ethernet
Bluetooth
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Transaction duration: The time it took for the transaction to complete.
end_time
datetime
Bucket end: The end time of the bucket.
experience_level
enumeration
Experience level: The user experience level of a transaction evaluated by the extension, based on the defined thresholds. Possible values are:
good
average
frustrating
Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the Applications configuration menu.
number_of_transactions
integer
Number of transactions: The number of transactions that took place within the time bucket.
start_time
datetime
Bucket start: The start time of the bucket.
status
enumeration
Status: The transaction status. Possible values are:
completed
time_out
aborted_unload
aborted_new
aborted_input
Requirements: Applications and transactions needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: The 'time_out' status is received when the end trigger was not received within 10 minutes. The 'aborted_unload' status is received when navigation to a new web application on the same tab takes place, or the tab was closed before the transaction was completed. The 'aborted_new' status is received when the transaction was aborted by the same, or another, transaction, i.e. when the detection restarts. The 'aborted_input' status is received when the detection was aborted by a user interaction.
The table collecting transactions of defined business-critical services up to 90d
transactions_summary are sampled events.
transactions_summary are associated to application, transaction
adapter_type
enumeration
Adapter type: The type of adapter used when the transaction occurred. Possible values are:
WiFi
Ethernet
Bluetooth
bucket_duration
duration
Bucket duration: The duration of the bucket.
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration
duration
Transaction duration: The time it took for the transaction to complete.
end_time
datetime
Bucket end: The end time of the bucket.
experience_level
enumeration
Experience level: The user experience level of a transaction evaluated by the extension, based on the defined thresholds. Possible values are:
good
average
frustrating
Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the Applications configuration menu.
number_of_transactions
integer
Number of transactions: The number of transactions that took place within the time bucket.
start_time
datetime
Bucket start: The start time of the bucket.
status
enumeration
Status: The transaction status. Possible values are:
completed
time_out
aborted_unload
aborted_new
aborted_input
Requirements: Applications and transactions needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: The 'time_out' status is received when the end trigger was not received within 10 minutes. The 'aborted_unload' status is received when navigation to a new web application on the same tab takes place, or the tab was closed before the transaction was completed. The 'aborted_new' status is received when the transaction was aborted by the same, or another, transaction, i.e. when the detection restarts. The 'aborted_input' status is received when the detection was aborted by a user interaction.
The workflows namespace consists of tables giving details about workflows, including configuration data and executions of workflows. Workflows are a dynamic and logical collection of Nexthink and 3rd party actions combined to deliver a multi-faceted solution.
workflow
name
string
Name: The name of the workflow. Details: User defined friendly name created through the workflow configuration page. The name of the workflow can be changed after the creation and should not be considered as a unique identifier.
nql_id
string
Workflow NQL ID: The unique identifier of a workflow. Details: The NQL ID cannot be changed after the initial creation.
execution
executions are punctual events.
executions are associated to device, user, workflow
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
duration_seconds
duration
Execution Duration: The time taken for the workflow execution to complete. Details: The execution duration is a measure of the time between the workflow execution start and end states.
execution_id
uuid
Execution ID: The unique identifier of the workflow execution. Details: The execution ID is used to identify a single workflow execution and is generated when a workflow is started.
external_reference
string
External reference: An identifier of the external web application record in reference to which the workflow was executed. Details: The field could contain the values such as the ticket identifier of the ITSM ticket.
external_source
string
External source: Name of the external system, outside of Nexthink, from where the workflow was triggered. Details: External source contains the name of the external system which either used Nexthink product or directly the API to trigger the workflow.
inputs
string
Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs provided for the workflow execution at the point it was triggered. These inputs are used by the workflow to influence both the outcomes of actions within the flow and the logical path which the workflow takes.
internal_source
string
Internal source: Displays the name of the feature from which the workflow was triggered. Possible values: Amplify, Remote Action, Workflow, Investigation, Device view, or blank for no value.
number_of_executions
long
Number of executions: The number of times this workflow execution attempted to run.
outcome
enumeration
Outcome: The resulting outcome of finishing a workflow Details: Possible values:
unspecified
action_taken
no_action_taken
failed
other
outcome_details
string
Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow
request_id
uuid
Request ID: The unique identifier of the request that created this workflow execution. Details: The request ID is generated and linked to individual workflow executions when a workflow is triggered against one or multiple targets. This field can be used as a method of grouping workflow executions together against the request to run them.
request_time
datetime
Request time: The date and time that the workflow execution was triggered.
status
enumeration
Status: The status of the execution. Possible values are:
failure
success
in_progress
cancelled
Details: The status can be used to monitor whether a workflow execution has finished or not. Possible values:
in_progress
success
failed canceled
status_details
string
Status details: The latest message returned by the workflow execution. Details: The status details field is usually only populated when the workflow execution has encountered a problem. The field contains a description of why the workflow execution has not completed successfully.
time
datetime
Last updated: It represents the date and time the workflow execution was last updated.
trigger_method
enumeration
Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:
manual
null
scheduler
api
event
workflow_version
integer
Workflow version: The version of the workflow used for this execution. Details: The workflow version field helps to identify which version of the workflow design is being followed for this specific workflow execution.
execution_summary
executions_summary are sampled events.
executions_summary are associated to workflow
context.location.country
string
Country location: The country in which the device is located at the time of the event.
context.location.site
string
Site: The site of location indicates the devices rule based site at the time of the event.
context.location.state
string
State location: The state in which the device is located at the time of the event.
context.location.type
string
Location type: The type of location indicates whether the device is onsite or remote at the time of the event.
context.organization.entity
string
Entity: The organizational entity to which the device belongs.
inputs
string
Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs are those were provided for the workflow execution by the user, via a schedule or from a call to the Nexthink Infinity API. These inputs are used by the workflow to influence both the outcomes of actions within the flow and the logical path which the workflow takes.
number_of_executions
long
Number of executions: The number of times this workflow execution attempted to run.
outcome
enumeration
Outcome: The resulting outcome of finishing a workflow Details: Possible values:
unspecified
action_taken
no_action_taken
failed
other
outcome_details
string
Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow
status
enumeration
Status: The overall status of the workflow execution. Details: The status can be used to monitor whether a workflow execution has finished or not. Possible values:
in_progress
success
failed
canceled
time
datetime
Time: The date and time the workflow execution was last updated.
trigger_method
enumeration
Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:
manual
null
scheduler
api
event