NQL data model

Last updated 29 days ago

Data model concepts

Consult the Understanding key data platform concepts page for more information about the various data model concepts.

This page does not include the dynamic data model, such as custom trends, custom fields or custom organizational classification, which is individual for each organization based on specific content and product configurations.

Data model tables

Table

Description

devices

Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.

device.antiviruses

The list of antivirus registered on the device and reported through WMI.

device.cpus

The list of CPU model names and their nominal clock speeds.

device.disks

The list of storage devices.

device.firewalls

The list of firewalls registered on the device and exposed through the Windows Security Center.

device.gpus

The graphics processing unit.

device.local_admins

The list of users and groups that are members of the local Administrators group on the device.

device.monitors

The list of monitors connected to the device.

device.volumes

The list of logical storage volumes.

binaries

Table of binaries. A binary is an executable binary file identified by its hash code.

users

Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.

alert.monitors

The table of defined alert monitors in the system.

alerts

The table collecting information about instances where metric values go outside normal parameters as defined in monitors.

alert.impacts

The table collecting information about instances of an alert impact.

applications

Table of defined applications.

application.network_applications

Table of defined network applications.

application.pages

Table of defined key pages.

application.transactions

Table of defined transactions.

campaigns

The table collecting all active and retired campaigns.

campaign.responses

The table collecting responses (expected or given) of a campaign by an employee.

collaboration.sessions

Table collecting meetings performed with collaboration tools such as Teams or Zoom.

connection.events

The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).

connection.tcp_events

The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.

connection.udp_events

The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.

connectivity.events

Table collecting performance metrics and attributes specific to a device's connectivity.

device_performance.boots

The table collecting boots of devices.

device_performance.events

The table collecting performance metrics and attributes specific to a device.

device_performance.hard_resets

The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages.

device_performance.system_crashes

The table collecting the system crashes of the devices.

dex.application_scores

application_score

dex.scores

A table of the DEX score.

execution.crashes

The table collecting crashes of a running process.

execution.events

The table collecting performance metrics and attributes specific to a process execution.

packages

A table of packages. A package is a group of files and executables that together constitute a software application.

package.installations

A table of package installation events.

package.uninstallations

A table of package uninstallation events.

package.installed_packages

A table of all installed packages on all devices.

platform.audit_logs

The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'

platform.custom_trends_logs

The list of all logs associated to custom trends computations. Requires permission 'View platform logs in NQL'.

platform.data_export_logs

data_export_log

remote_actions

The table of defined remote actions.

remote_action.executions

The table collecting the executed remote actions.

remote_action.executions_summary

The table collecting the trend of executed remote actions.

services

A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction

service.changes

Timeline of events when an attribute of an existing service has changed on a device. The attributes tracked by these events are the same as in the installed_services table. Eg. logon_as & startup_type.

service.installations

Punctual event, indicating when an service was added or removed to a particular device.

service.installed_services

A table of all installed services on all devices.

session.connects

The table collecting connections linked to user sessions.

session.disconnects

The table collecting disconnections linked to user sessions.

session.events

The table collecting performance metrics and attributes specific to both local and remote sessions.

session.lifecycle_events

The table collecting all events linked to user sessions.

session.locks

The table collecting locks linked to the user sessions.

session.logins

The table collecting all session logins.

session.logouts

The table collecting all session logouts.

session.unlocks

The table collecting unlocks linked to user sessions.

software_metering.meter_configurations

meter_configuration

software_metering.events

event

web.errors

The table collecting errors of defined business-critical services.

web.errors_summary

The table collecting errors of defined business-critical services up to 90d

web.events

The table collecting events of defined business-critical services.

web.events_summary

The table collecting events of defined business-critical services up to 90d

web.page_views

Table collecting page views of defined business-critical services.

web.page_views_summary

Table collecting page views of defined business-critical services up to 90d

web.transactions

The table collecting transactions of defined business-critical services.

web.transactions_summary

The table collecting transactions of defined business-critical services up to 90d

workflows

workflow

workflow.executions

execution

workflow.executions_summary

execution_summary

Namespace device

The device namespace includes one large devices table, which has multiple fields referring to device properties such as hardware, operating system and also Nexthink Collector.

devices

Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.

Field

Type

Description

Supported platforms

ad_site

string

AD site: Indicates the site to which the device is assigned to in Active Directory (AD). Details: In case the device is not part of a domain, the value shows as "-".

Windows macOS

boot.days_since_last_full_boot

integer

Days since last full boot: The number of days since the device last boot following a restart or a complete shutdown.

Windows macOS

boot.last_full_boot_duration

duration

Last full boot duration: The duration of the device last boot following a restart or a complete shutdown.

Windows

boot.last_full_boot_time

datetime

Last full boot time: The date and time of the device last boot following a restart or a complete shutdown.

Windows macOS

collector.last_update_status

string

Collector last update status: The last update status received from a specific Collector instance.

Windows macOS

collector.last_update_status_date

datetime

Collector last update status date: The reception date of the last update status for a specific Collector instance.

Windows macOS

collector.local_ip

ipAddress

Collector local IP: The local IP used for the traffic between the endpoint and the Nexthink Instance.

Windows macOS

collector.tag_id

integer

Collector tag: The configurable number that identifies a group of Collector instances. The tag is useful for defining the entities to build hierarchies. Details: An optional field that must be an integer number between 0 and 2147483647. Could complement the Collector string tag.

collector.tag_string

string

Collector string tag: The configurable label that identifies a group of Collector instances. The string tag is useful for defining the entities to build hierarchies. Details: An optional field, with a maximum length of 2048 characters. Could complement the Collector tag.

Windows macOS

collector.target_update_date

datetime

Collector target update date: The date when the devices install the target version.

Windows macOS

collector.target_version

version

Collector target version: The version to which all Collector instances update next.

Windows macOS

collector.uid

uuid

UID: The Collector unique identifier, provided using the UUID format.

collector.update_group

string

Collector update group: For scheduling separate waves of Collector updates, the devices are assigned to one of the available update groups.Possible values:

Pilot
Main
Unsupported OS

Details: By default, 10% of all the Collector instances are assigned to the Pilot update group. The Pilot group starts updating two days after a new Collector version is available. The Main group starts updates 14 days after the Pilot group.

Windows macOS

collector.version

version

Collector version: Indicates the version of the Collector instance installed on the device.

Windows macOS

connectivity.last_connectivity_type

enumeration

Connectivity type: Last type of network adapter used. Possible values are:

WiFi
Ethernet
Bluetooth

Windows macOS

connectivity.last_local_ip

ipAddress

Local IP: The last local IP address for the primary physical network adapter of the device.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the device was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the device was seen active by the Nexthink instance.

Windows macOS

distinguished_name

string

Distinguished name: The unique identifier of a device when joined to a domain or workgroup. Details: Shows as "-" when the device is not part of a domain or workgroup.

Windows macOS

entity

string

Entity: A customizable field used for organizing a group of devices into logical groups.

Windows macOS

first_seen

datetime

First seen: The date and time the device was first seen by the Nexthink instance.

Windows macOS

group_name

string

Group name: The name of the security group containing the device when joined to a domain or workgroup.

Windows

hardware.bios_serial_number

string

BIOS serial number: The serial number of the motherboard. Details: On macOS, this is the same as the chassis serial number.

Windows macOS

hardware.chassis_serial_number

string

Chassis serial number: The chassis serial number. Details: On macOS, this is the same as the BIOS serial number.

Windows macOS

hardware.machine_serial_number

string

Machine serial number: The unique serial number of the device in a UUID format.

Windows macOS

hardware.manufacturer

string

Manufacturer: The short name of the device manufacturer. Details: While devices might natively report slight variations of it, for example, sometimes dependent on the model or year of introduction, the information is simplified to ensure consistency across different devices of the same manufacturer.

Windows macOS

hardware.memory

bytes

Installed memory: The total amount of random-access memory (RAM) installed on the device.

Windows macOS

hardware.model

string

Device model: The model of the device. Details: On Windows, it is provided by the device manufacturer using the WMI interface as the product name. On macOS it is the "model id" provided by System Profiler.

Windows macOS

hardware.product_id

string

Product ID: A variant of a specific device model, sometimes also referred to as the SKU number. Details: Provided by the device manufacturer through the WMI interface as the SKUNumber.

Windows

hardware.product_line

string

Product line: The product line or hardware version information. Details: Provided by the device manufacturer through the WMI interface as the product version.

Windows macOS

hardware.type

enumeration

Device type: The device form factor:

desktop
laptop
virtual

Details: The Windows devices are considered to be a laptop if they have a "lid closed" sensor. For macOS this information comes from the device model.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last device activity received by the Nexthink instance.

Windows macOS

license_type

enumeration

License type: The type of license used for this device. Possible values:

endpoint
server
thin_client

Windows macOS

location.country

string

Country: The country where the device is located.

Windows macOS

location.site

string

Site: Custom-defined identifier (office, city, ...) where the device is located.

Windows macOS

location.state

string

State: The subdivision (for example, state) where the device is located.

Windows macOS

location.type

string

Location type: The type of location indicates whether the device is onsite or remote.

Windows macOS

string

Last logged in user: The name of the user associated to the last login on the device.

Windows macOS

membership_type

enumeration

Membership type: The type of computer group membership. Possible values:

standalone
workgroup
domain
open directory

Details: Possible values:

domain
workgroup
standalone
open directoryWhen not available, shows as "-".

Windows

name

string

Name: The name of the device as used by the operating system for identification purposes on the local network. Details: Source:

For Windows: NetBios Name
For macOS: LocalHostName

Windows macOS

operating_system.architecture

enumeration

Architecture: The architecture of the device operating system. The instruction set it can natively execute. Details: Possible values:

x86
x64
ARM64

Windows macOS

operating_system.build

version

Build: The build number of the operating system. Details: The build number is set to "0.0.0.0" if the Collector version is incompatible or the data is not yet available.

Windows

operating_system.days_since_last_update

integer

Days since last system update: The number of days since the last system update.

Windows

operating_system.is_activated

bool

Is activated: The Windows license activation status. Details: macOS does not require a license since OSX 10.9 Mavericks (released in 2013), and shows as "-".

Windows

operating_system.last_update

datetime

Last system update: The date and time of the last system update.

Windows

operating_system.name

string

Name: The combination of the name, version and architecture (when applicable) of the operating system. Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value.

Windows macOS

operating_system.platform

enumeration

Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties. Details: Possible values are:

Windows
macOS
Linux

Windows macOS

operating_system.wmi_status

enumeration

WMI status (deprecated): This field is deprecated and will be replaced in the future. Details: The status of the WMI extension Collector relies on for device identification. Used internally to mitigate potential transient issues with this particular WMI source.

Windows

organization.entity

string

Entity: The organizational entity to which the device belongs.

public_ip.city

string

City: The city where the device is located.

Windows macOS

public_ip.country

string

Country: The country where the device is located.

Windows macOS

public_ip.ip_address

ipAddress

Public IP address: The public IP address of the device.

Windows macOS

public_ip.isp

string

ISP: The internet service provider of the device.

Windows macOS

public_ip.state

string

State: The subdivision (for example, state) where the device is located.

Windows macOS

sid

string

SID: The Security Identifier (SID) of the device, often used for identification and permission control purposes.

Windows

uid

uuid

Device UID: Unique identifier of the device.

Windows macOS

user_account_control_status

enumeration

User account control status: Indicates if the User Account Control (UAC) is configured, forcing applications to request explicit approval from the user to make changes to the computer or to run with elevated permissions. Details: Possible values:

ok (apps ask for approval)
at risk
unknown

virtualization.desktop_broker

enumeration

Desktop broker: Name of the desktop virtualization product used to broker the remote desktop connections.

Windows

virtualization.desktop_pool

string

Desktop pool name: The hardware characteristics of the associated virtual machines.

Windows

virtualization.disk_image

string

Disk image: Name of the disk image used to deploy the virtual machine.

Windows

virtualization.environment_name

string

Environment name: Name of the connector used to retrieve the virtualization details.

Windows

virtualization.hostname

string

Virtualization hostname: The physical device on which the virtual machine is hosted.

Windows

virtualization.hypervisor_name

string

Hypervisor name: The hardware virtualization system running the virtual machine.

Windows

virtualization.instance_size

string

Instance size: A predefined configuration that determines the CPU, memory and storage which is allocated to a virtual machine.

Windows

virtualization.last_update

datetime

Last update: Date and time when the desktop virtualization information was last updated.

Windows

virtualization.region

string

Region: Geographical areas where one or more Microsoft Azure data centers are located.

Windows

virtualization.type

enumeration

Desktop pool type: The type of the desktop pool. Possible values are:

shared, several users work on the same virtual machine at the same time
personal, the virtual machine is used by one user at a time and all changes to the system persist
pooled, the device is used by one user at a time and during the logoff all changes including documents and data are erased.

Windows

antiviruses

The list of antivirus registered on the device and reported through WMI.

Field

Type

Description

Supported platforms

is_up_to_date

enumeration

Up to date: The up-to-date status of the antivirus. Possible values are:

yes
no
not_reported
not_applicable

Windows

name

string

Name: The name of the main antivirus.

Windows

real_time_protection

enumeration

Real-time protection: The status of the antivirus real time protection (RTP). Possible values are:

not_reported: incompatible Collector version or the data is not yet available
enabled: : indicates that the RTP is active
disabled: indicates that either the RTP is inactive or the antivirus is not detected
partially_enabled
not_applicable

Windows

cpus

The list of CPU model names and their nominal clock speeds.

Field

Type

Description

Supported platforms

frequency

integer

CPU frequency: The CPU base frequency in MHz. The base frequency can be much smaller than the maximum turbo frequency. For example, the Intel Core i7-8565U CPU has a base frequency of 1.80 GHz and a maximum frequency of 4.6 GHz.

Windows macOS

name

string

CPU name: The CPU model.

Windows macOS

number_of_cores

integer

Number of cores: The number of CPU cores.

Windows macOS

number_of_logical_processors

integer

Number of logical processors: The number of CPU cores multiplied by the number of threads that can run on each core using hyperthreading.

Windows macOS

disks

The list of storage devices.

Field

Type

Description

Supported platforms

capacity

bytes

Capacity: The disk capacity. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

is_bootable

bool

Is bootable: Returns the value "yes" when the device boots from that disk.

Windows macOS

name

string

Name: The name of the physical or virtual disk drive.

Windows macOS

type

enumeration

Type: The type of drive. Possible values are:

HDD
SSD
Other

Windows macOS

firewalls

The list of firewalls registered on the device and exposed through the Windows Security Center.

Field

Type

Description

Supported platforms

name

string

Name: The name of the main firewall.

Windows

real_time_protection

enumeration

Real-time protection: The status of the firewall real time protection (RTP). Possible values are:

not_reported: incompatible Collector version or the data is not yet available
enabled: indicates that RTP is active
disabled: indicates that either RTP isn’t active or no antivirus has been detected
partially_enabled
not_applicable

Windows

gpus

The graphics processing unit.

Field

Type

Description

Supported platforms

memory

bytes

Memory: The video memory in bytes.

Windows

name

string

Name: The graphics card name.

Windows

local_admins

The list of users and groups that are members of the local Administrators group on the device.

Field

Type

Description

Supported platforms

name

string

Name: The users who are members of the local Administrators group on the device.

Windows

type

enumeration

Type: The type of the user. Possible values are:

user
group

Windows

monitors

The list of monitors connected to the device.

Field

Type

Description

Supported platforms

diagonal_size

float

Diagonal size: The diagonal size in inches.

Windows

horizontal_resolution

integer

Horizontal resolution: The maximum horizontal resolution in pixels.

Windows

name

string

Name: The monitor name.

Windows

serial_number

string

Serial number: The monitor serial number.

Windows

vendor

string

Vendor: The monitor vendor.

Windows

vertical_resolution

integer

Vertical resolution: The maximum vertical resolution in pixels.

Windows

volumes

The list of logical storage volumes.

Field

Type

Description

Supported platforms

capacity

bytes

Capacity: The volume capacity in bytes. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

name

string

Name: The name of the volume.

Windows macOS

system

bool

Operating system volume: Returns the value "yes" when the volume contains the operating system.

Windows macOS

usage

float

Usage: The volume usage in percent.

Windows macOS

Namespace binary

Table of binaries. A binary is an executable binary file identified by its hash code.

binaries

Table of binaries. A binary is an executable binary file identified by its hash code.

Field

Type

Description

Supported platforms

architecture

enumeration

Architecture: The operating system architecture the binary is compiled for (32-bit or 64-bit).

Windows macOS

company

string

Company: The name of the company that produced the binary. Details: Information retrieved from the file properties.

Windows macOS

description

string

Description: Used for describing the purpose of the binary or to complement it with additional details. Details: Description is generated by AI.

Windows macOS

first_seen

datetime

First seen: The date and time the binary was first seen by the Nexthink instance.

Windows macOS

has_user_interface

bool

Has user interface: Indicates if the binary has an interactive window while running. Details: On Windows platform the reported value is 'true', or 'false' if the binary has no interactive window or if the information is not available. Any other platform is always NULL.

Windows

last_seen

datetime

Last seen: The date and time of the last binary activity received by the Nexthink instance.

Windows macOS

md5_hash

bytea

MD5 hash: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The MD5 hash represented in base64 format.

Windows macOS

md5_hash_hex

bytea

MD5 hash hex: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The MD5 hash represented in hex format.

Windows macOS

name

string

Name: The file name of the binary.

Windows macOS

platform

enumeration

Platform: The operating system family on which the binary natively runs. Details: Possible values are:

Windows
macOS
Linux

Windows macOS

product_category

string

Product category: Category is a broad, general classification of similar products. Details: Category is generated by AI.

Windows macOS

product_name

string

Product name: The name of the application associated with the file. Details: Information retrieved from the file properties.

Windows macOS

product_subcategory

string

Product subcategory: Subcategory is a more specific classification or subdivision within a larger category. Details: Subcategory is generated by AI.

Windows macOS

sha-1_hash

bytea

SHA-1 hash: The SHA-1 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-1 hash represented in base64 format.

Windows macOS

sha-1_hash_hex

bytea

SHA-1 hash hex: The SHA-1 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The SHA-1 hash represented in hex format.

Windows macOS

sha-256_hash

bytea

SHA-256 hash: The SHA-256 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary. Details: The SHA-256 hash represented in base64 format.

Windows macOS

sha-256_hash_hex

bytea

SHA-256 hash hex: The SHA-256 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary. Details: The SHA-256 hash represented in hex format.

Windows macOS

size

bytes

Size: The size of the binary file, in bytes.

Windows macOS

uid

uuid

Binary UID: The unique identifier for the binary.

Windows macOS

version

Version: The version of the binary file, retrieved from the file properties.

Windows macOS

Namespace user

The users table within the user namespace, includes information about the individual accounts across the IT infrastructure. It contains all employees recognized by your Nexthink instance. Most of the table fields are derived from Entra ID and are included in the "ad" grouping. A user may have access to more than one device.

users

Field

Type

Description

Supported platforms

ad.city

string

City: The name of the city the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.country_code

string

Country code: The country or region the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: The country or region is represented as a two-character code based on the ISO-3166 standard. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.department

string

Department: The name of the department the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.distinguished_name

string

Distinguished name: The unique identifier of a domain user for an on-premises Active Directory (AD). Requirements: Requires one or more connectors for Entra ID correctly configured, and Entra ID needs to be synchronized with an on-premises AD. Details: The distinguished name follows the LDAP syntax. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.email_address

string

Email address: The email address of the user. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.full_name

string

Full name: The name displayed in the address book for the user. This is usually the combination of the user first name, middle initial and last name. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.job_title

string

Job title: The job title assigned to the user in Active Directory. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.last_update

datetime

Last update: The date and time of the last update received for the user information from Entra ID.

Windows macOS

ad.office

string

Office: The name of the physical location or office the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.organizational_unit

string

Organizational unit name: The name of the directory folder containing the user account. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.username

string

AD Username: The name of the user account as it appears in Entra ID. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the user account was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the user account was seen active by the Nexthink instance.

Windows macOS

first_seen

datetime

First seen: The date and time the user account was first seen by the Nexthink instance.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last user account activity received by the Nexthink instance.

Windows macOS

name

string

Username: The name of the user account on the local device. Requirements: The collector is configured to report the username: Configuring Collector level anonymization Details: Depending on the configuration, the Collector reports username in cleartext, as a hashed value or not at all.

Windows macOS

sid

string

SID: The unique security identifier (SID) of the user account on Windows. Details: On Windows, each user account has a unique security identifier (SID) used to provide access to system resources. On macOS, a unique SID is generated by Nexthink to facilitate user identification.

Windows macOS

type

enumeration

Type: The type of the user account. Details: Nexthink recognizes three types of user accounts:

A local user account is an account that only exists on a single device. It cannot be used to login to systems other than that specific device.
A domain user account is a user account managed by Microsoft Active Directory, enabling users to log in across various devices and access multiple services.
A system account is a form of a local account that has special privileges on a device.

Windows macOS

uid

uuid

User UID: The value that uniquely identifies a user on the Nexthink platform.

Windows macOS

upn

string

UPN: The User Principal Name (UPN), a unique identifier for a user account Requirements: The Collector reports the UPN for Active Directory and Microsoft Entra ID user accounts on Windows, and for mobile and Jamf Connect-linked local user accounts on macOS. Nexthink does not report UPNs for system accounts or local accounts (without Jamf Connect for macOS). The collector must be configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Names (UPN) is a standardized identifier for users (RFC822). Normally, it takes the form of an email address. The UPN allows to uniquely identify a user across systems, for example, devices with different OS platforms. Nexthink uses the UPN to enrich user objects with data from third-party services. If the Collector cannot retrieve the UPN for a user, the UPN is NULL (displayed as “-”) and the upn_privacy_level is set to no_import (independent from the Collector configuration).

Windows macOS

upn_privacy_level

enumeration

UPN privacy level: Indicates how securely the User Principal Name (UPN) is stored by the Nexthink instance. Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Name (UPN) privacy level is a Collector configuration parameter on the user device. Depending on the configuration, the Collector reports UPN in cleartext, as a hashed value or not at all. The options are represented by the following values:

cleartext
hashed
no_import

Windows macOS

Namespace alert

The alert namespace consists of two tables: alerts and monitors. Monitors store sets of rules configured by Nexthink users (monitor name, threshold, priority, etc.), describing acceptable limits for metrics. Alerts store information about instances where metric values go outside normal parameters as defined in monitors. You may want to query the alerts table if you have permission to run investigations but are not allowed to access alerts dashboards or when creating dashboards for reporting.

monitors

The table of defined alert monitors in the system.

Field

Type

Description

Supported platforms

comparison_operator

enumeration

Comparison operator: Determines when a monitor should trigger an alert. Details: It is one of the key elements used to define the conditions within a monitor in order to trigger an alert. It is specifically utilized when setting up the breaching criteria for the primary metric. A comparison operator allows for the comparison of values to determine if the specified condition is met. Possible values are:

at_least
less_or_equal

multiple_contexts

bool

Multiple-context: Indicates if the monitor triggers alerts with different contexts. Details: The value is set to "Yes" when NQL has a "group by" clause.

name

string

Monitor name: The assigned name of a configured monitor. Details: A monitor is a defined set of metrics and conditions used to continuously observe a system or process and trigger an alert when certain criteria are met. The name of the custom monitor can be changed after creation. Do not consider it as a unique identifier.

nql_id

string

NQL ID: The unique NQL identifier of the monitor. Details: NQL ID cannot be changed after initial creation.

origin

enumeration

Monitor origin: Indicates where the monitor originates from. Monitors can be built-in to the Nexthink platform (system), installed using a library pack (library) or created manually (custom)

priority

enumeration

Priority: The importance of alerts that are triggered by the monitor. Details: Possible values are:

critical
high
medium
low

defined by the user in the monitor configuration.

status

enumeration

Status: The status of the monitor as set in the "Manage monitors". Details: Possible values are:

active
deleted

alerts

The table collecting information about instances where metric values go outside normal parameters as defined in monitors.

alerts are punctual events.

alerts are associated to user, device, monitor

Field

Type

Description

Supported platforms

context

jsonArrayString

Context: The relevant information needed to understand alert. Details: Depending on the alert, the context information may contain the name of the binary, device or user associated with the alert. It is the JSON-formatted payload of the alert.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

context_hash

string

Context hash: The unique fingerprint of the alert context. Details: The fingerprint is created by calculating an MD5 hash context.

duration

Alert duration: The duration when the alert is active. Details: It is calculated as the time between the trigger and the recovery if the alert is closed, or between the trigger and now if the alert is open.

is_auto_recovery

bool

Auto-recovery: Indicates if the alert was auto-recovered. Details: Auto-recovery takes place when there are no events recorded for the metric(s) specified in the monitor configuration within the selected timeframe. Yes, if the alert is auto-recovered

is_grouped

bool

Group alert: It represents a situation where too many alerts have been generated by a single monitor at the same time. The monitor will not generate any more alerts until the situation has been resolved.

number_of_alerts

long

Number of alerts: The number of alerts triggered.

recovery_reference_value

float

Recovery reference value: It contains the reference value of the main (first) monitored metric that is checked to recover an alert.

recovery_time

datetime

Recovery time: Contains the date and time at which the alert was recovered.

recovery_value

float

Recovery value: The value of the metric that caused the alert to be recovered. Equal to the first metric value if more than one trigger condition is defined.

recovery_values

jsonArrayString

Recovery values: The lists of values of all the monitored metrics reported when the alert has recovered.

status

enumeration

Status: The status of the alert event. The status can be open or closed. Details:

Open: the alert is currently active.
Closed: the alert has been recovered.

time

datetime

Alert time: Alert bucket time.

trigger_reference_value

float

Trigger reference value: The reference value of the metric against which the current value was compared to trigger the alert.

trigger_time

datetime

Trigger time: The date and time when the alert was raised.

trigger_value

float

Trigger value: The value of the metric that bypassed the threshold defined in the monitor configuration and caused the alert to be raised. Details: Equal to the first metric value if more than one trigger condition is defined

trigger_values

jsonArrayString

Trigger values: The values of the metrics that bypassed the thresholds defined in the monitor configuration and caused the alert to be raised.

uid

uuid

Alert event UUID: The unique identifier of the alert event.

impacts

The table collecting information about instances of an alert impact.

impacts are punctual events.

impacts are associated to user, device, monitor

Field

Type

Description

Supported platforms

alert_uid

uuid

Associated alert event UUID: The unique identifier of the associated alert event.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Impact duration: The duration of the impact. Details: It is calculated as the time between the "from_time" and the "to_time" if there is more than one trigger, or between the "from_time" and now if there is only one trigger.

from_time

datetime

Impact from: Impact from

to_time

datetime

Impact to: Impact to

Namespace application

The application namespace contains a set of tables that store information about business-critical services configured by Nexthink users in the Application module. The tables include configuration data such as the name and ID of each application, as well as defined key pages and transactions. These tables can be queried alongside associated tables to help identify issues with business-critical services.

applications

Table of defined applications.

Field

Type

Description

Supported platforms

network_applications

Table of defined network applications.

Field

Type

Description

Supported platforms

pages

Table of defined key pages.

Field

Type

Description

Supported platforms

name

string

Name: The name of the key page defined for a web application. Key pages divide a web application into functionally relevant parts based on URL patterns. Requirements: The key pages need to be defined through the application configuration menu. Details: More info from the documentation

transactions

Table of defined transactions.

Field

Type

Description

Supported platforms

name

string

Name: The name of the transaction defined for a web application. A transaction is an employee action or event in a web application that creates business value for the company. Requirements: The transactions need to be defined through the application configuration menu. Details: More info from the documentation

Namespace campaign

The campaign namespace consists of two tables. The campaign table stores information about campaigns configured by Nexthink users (such as campaign id, name, trigger method, etc.). The responses table collects all responses to campaigns. It indicates whether the employee declined or postponed the campaign or how many questions they answered.

campaigns

The table collecting all active and retired campaigns.

Field

Type

Description

Supported platforms

name

string

Name: The name of a campaign. Details: User defined through the Campaigns user interface or Finder For Infinity campaigns, only configured campaigns in the state published and retired are available in the data model. The name of the campaign can be changed after its creation and should not be considered as a unique identifier.

nql_id

string

NQL ID: The unique identifier of a campaign. Details: The NQL ID cannot be changed after its initial creation.

priority

enumeration

Priority: The configured priority of the campaign. Details: The campaign priority influences which employee protection rules are applied: urgent campaign bypass the do-not-disturb rules unlike normal campaigns. Possible values:

urgent
normal

status

enumeration

Status: The current status of the campaign. Details: Possible values:

draft - a campaign in creation that has not been finalized yet
published - an active campaign that can currently collect responses from employees
retired - a campaign that was active but has now been retire and cannot collect new responses
Only published campaign can be triggered, and only published and retired campaigns can have responses. Refer to the campaign.responses table for details.

trigger_method

enumeration

Trigger: The possible ways of triggering the campaign. Details: Possible values:

manual - triggered from an investigation results for one or more employees
investigation (Classic campaigns only) - triggered automatically based on an investigation that is evaluated regularly
schedule - triggered automatically based on an investigation that is evaluated regularly
remediation - triggered within a remote action script
api - triggered via a call to the Campaign API
workflow - triggered from a Nexthink Workflow
Campaigns with trigger type remediation do not have their responses available.

responses

The table collecting responses (expected or given) of a campaign by an employee.

responses are punctual events.

responses are associated to user, device, campaign

Field

Type

Description

Supported platforms

answers

string

Answers: The campaign answers (details and values) given by the employee. Details: The answers are structured as a JSON object that includes, for each answered question. Inspecting answers of a given campaign is best performed using the dynamic data model: for each campaign, you can use fields of campaign.nql_id.responses.answers.nql_id to inspect the answer type, the answer labels and the free-text comment.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

displayed_language

enumeration

Displayed language: The language in which the content of a multilingual campaign was shown to the employee. Details: Applicable only to multilingual campaigns. Possible values:

not_applicable, for campaigns without multiple languages activated or not answered yet
language name (english, french, etc.), once the campaign has been answered

expiry_date

datetime

Expiry Date: Show the expiry date and time of an employee campaign request.

first_displayed

datetime

First displayed time [Local]: The date and time at which the employee saw the campaign for the first time, adjusted to your local time.

first_planned

datetime

First planned time [Local]: The date and time at which the campaign is set to the planned state first, adjusted to your local time.

first_targeted

datetime

First targeted time [Local]: The date and time at which the campaign is set to the targeted state first, adjusted to your local time.

historical_state

jsonArrayString

Historical states: It describes the historical state updates for an employee campaign response. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

historical_state_details

jsonArrayString

Historical state details: The historical state details updates for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

historical_time

jsonArrayString

Historical times: The historical update times for an employee campaign response, as an array sorted chronologically. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

number_of_answered_questions

integer

Number of answered questions: The number of questions answered by the employee.

parameters

string

Parameters: It indicates the value of all campaign parameters as defined when triggering this campaign response.

request_id

string

Request ID: The unique identifier generated at the time the user was targeted for that campaign. Details: The request ID is the unique identifier for a campaign response. The same user may have different requests with different request ID if the user was targeted several times for the same campaign. When triggering an API campaign, the request ID is returned in the API response and can be stored for later inspection of the campaign answers.

state

enumeration

State: It describes the current state of the campaign response by a user (expected or actual). Details: Possible values:

planned - the campaign sent to a user who was online and pending display
targeted - the campaign pending answer, refer to state details for more information
answered - the campaign partially or fully answered by the user
declined - the campaign declined by the user
canceled - the response not expected anymore, refer to state details for more information
retired - the campaign retired without responses
unknown_state - the response state not reported by Nexthink

For more information, refer to response state documentation

state_details

enumeration

State Details: It describes additional details about the current state of the campaign response by a user (expected or actual). Details: The state_details value depends on the state value Nexthink registers for a particular response. For state targeted, possible state details are:

notified - the user saw the campaign popup
opened - the user saw the first question fully
offline - the user was offline when the campaign was triggered
delayed - the campaign was delayed due to user protection (classic)
postponed - the user clicked on 'remind me later' For state answered, possible state details are:
partially - the user answered only some of the required questions
fully - the user answered all required questions For state canceled, possible state details are:
user_not_found - the campaign sent to a deleted user
expired - the response not received before its expiration time
already_pending - another response for the same user expected For states planned, declined, retired and unkown_state, the state detail is:
not_applicable - no additional details

For more information, refer to response state documentation

time

datetime

Time [Local]: The date and time when the response was updated for the last time, adjusted to your local time.

trigger_method

enumeration

Trigger method: It describes the trigger method that was used to target the user for the campaign. Details: Possible values:

manual
schedule
api

Namespace collaboration

The collaboration namespace consists of only one table: sessions, which refers to all meetings performed with collaboration tools such as Teams and Zoom. It stores detailed information about each meeting, including its duration, connection type, equipment used, audio and video quality, among other details. This data is used to monitor critical collaboration applications, for example, using dashboards with call quality overview.

sessions

Table collecting meetings performed with collaboration tools such as Teams or Zoom.

sessions are punctual events.

sessions are associated to user, device

Field

Type

Description

Supported platforms

application.type

enumeration

Application type: Type of the application used for a given call. Possible values are:

Teams
Zoom

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

application.version

version

Application version: Application version used during the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

audio.inbound_jitter

duration

Audio inbound jitter: Average change in delay between successive inbound audio packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor audio quality.

audio.inbound_latency

duration

Audio inbound latency: The time it takes an inbound audio packet to reach a participant’s device. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor audio quality.

audio.inbound_packet_loss

float

Audio inbound packet loss: Ratio of inbound audio packets that never reach their destination compared to the total of audio packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor audio quality.

audio.inbound_rocs

float

Audio inbound ROCS: Ratio comparing the number of audio frames generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 0.07, the related Teams session is considered as having a poor audio quality.

audio.inbound_rtt

duration

Audio inbound RTT: Time an audio packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.

audio.outbound_jitter

duration

Audio outbound jitter: Average change in delay between successive outbound audio packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

audio.outbound_latency

duration

Audio outbound latency: The time it takes an outbound audio packet to reach its destination from a participant’s device. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

audio.outbound_packet_loss

float

Audio outbound packet loss: Ratio of outbound audio packets that never reach their destination compared to the total number of outbound audio packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

audio.outbound_rocs

float

Audio outbound ROCS: Average ratio comparing the number of outbound audio frames with concealed samples generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

audio.outbound_rtt

duration

Audio outbound RTT: Time an outbound audio packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.

audio.quality

enumeration

Audio call quality: Assessment of the audio call quality. Possible values are:

Good
Poor
Unknown

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the audio quality is poor, end-users might experience some distorted, breaking up or robotic sound. Assessment of the quality is based on multiple metrics, like jitter, packet loss... See more details on the related documentation.

call.end_time

datetime

Call end time: Time when the last user left the call. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

call.id

string

Call ID: Unique identifier for the call record.

call.quality

enumeration

Call quality: Indicates the overall call quality computed as a combination of below quality metrics

Audio quality
Video quality
Screen share quality (Teams only)
Failed to connect to the call (Teams only)
Got disconnected from the call (Teams only) Possible values
Poor: If any of the metric is poor.
Good: If majority of the metrics is good.
Unknown: If majority of the metrics is unknown.

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

call.start_time

datetime

Call start time: Time when the first user joined the call

call.type

enumeration

Call type: Indicates if the call type was a group call or a peer-to-peer call. This value is available only for Microsoft teams calls. Possible values are:

Group call
Peer-to-peer
Unknown

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Group call indicates that the call was either scheduled or a call that involves more than two participants. Peer-to-peer indicates it was a direct call between two participants.

connection_type

enumeration

Connection type: The internet connection type for a participant in a given call. Possible values are:

Ethernet
WiFi
cellular
PPP
tunnel
point_to_point

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Session duration: Time between the start time and end time of the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

end_time

datetime

Session end time: Time when the user left the call. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

has_screen_share

bool

Has screen share: Indicates if screen sharing was used during the call. Requirements: This requires

The Collaboration Experience license..
Configured inbound connectors.
macOS requires Jamf as an identity provider..

See more details in the related documentation.

has_video

bool

Session contains video: Indicates if video was used during the call. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

string

Session ID: Unique identifier of the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Peer-to-peer calls typically only have one session, whereas group calls typically have at least one session per participant.

participant_device.camera

string

Camera: Camera used during the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.mac_address

string

MAC address: MAC address of the participant's device during the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.microphone

string

Microphone: Microphone used during the session. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.speaker

string

Speaker: Speaker used during the session. Requirements: This requires

The Collaboration Experience license..
Configured inbound connectors.
macOS requires Jamf as an identity provider..

See more details in the related documentation.

participant_device.type

enumeration

Device type: Participant’s device type during the session. Possible values are:

Windows
macOS
iOS
Android
web
IP_phone
room_system
Surface_Hub
HoloLens
PSTN

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_failed_to_connect

string

Participant failed to connect: Indicates whether the participant failed to connect to the call. Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_got_disconnected

string

Participant got disconnected: Indicates if participant got disconnected during the call. Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

screen_share.inbound_frame_loss_percentage

float

Screen share inbound frames loss percentage: Percentage of inbound frames loss. Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Inbound frame loss percentage refers to the proportion of lost frames during screen sharing. When someone shares their screen, frames (individual images) are transmitted over the network. If any frames are lost or delayed, it affects the viewing experience. The issue may be related to network problems, and troubleshooting involves analysing the network path and seeking community insights. If inbound frame loss percentage > 50%, you will see an issue in screen sharing quality.

screen_share.inbound_frame_rate

integer

Screen share inbound frame rate: Frames per second received by viewers during screen sharing. Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Inbound frame rate refers to the frames per second (fps) received by viewers during screen sharing. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.

screen_share.outbound_frame_rate

integer

Screen share outbound frame rate: Frames per second transmitted by the person's device who is sharing screen. Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Outbound frame rate pertains to the fps at which shared content is transmitted from a person's device who is sharing screen. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.

screen_share.quality

enumeration

Screen share quality: Assessment of the screen share quality. The assessment is based on inbound frame loss percentage, inbound and outbound frame rate metrics. Possible values are:

Good
Poor
Unknown

Please note: This feature is available only for Teams. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the screen share quality is poor, end-users might experience lags in the screen share display. The screen share quality is considered:

Good when inbound frame loss percentage <= 50% OR (inbound frame loss percentage is null AND inbound frame rate >= 1 AND outbound frame rate >= 1).
Poor when inbound frame loss percentage > 50% OR (inbound frame loss percentage is null AND inbound frame rate < 1 AND outbound frame rate < 1).
Unknown when inbound frame loss percentage is null AND inbound frame rate is null AND outbound frame rate is null.

See more details on the related documentation.

start_time

datetime

Session start time: Time when the user joined the call. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation.

video.inbound_frame_rate

integer

Video inbound frame rate: Frequency at which inbound frames appear on a display. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is lower than 7 FPS, the related session is considered as having a poor video quality.

video.inbound_jitter

duration

Video inbound jitter: Average change in delay between successive inbound video packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.inbound_latency

duration

Video inbound latency: Time it takes an inbound video packet to reach a participant’s device. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.inbound_packet_loss

float

Video inbound packet loss: Ratio of inbound video packets that never reach their destination compared to the total number of inbound video packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.inbound_rtt

duration

Video inbound RTT: Time an inbound video packet takes to reach a participant’s device and for the response to reach its origin. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.

video.outbound_frame_rate

integer

Video outbound frame rate: The frequency at which outbound frames appear on a display. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.outbound_jitter

duration

Video outbound jitter: Average change in delay between successive outbound video packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.outbound_latency

duration

Video outbound latency: The time it takes an outbound video packet to reach its destination from a participant’s device. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.outbound_packet_loss

float

Video outbound packet loss: Ratio of outbound video packets that never reach their destination compared to the total number of outbound video packets. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

video.outbound_rtt

duration

Video outbound RTT: Time an outbound video packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.

video.quality

enumeration

Video call quality: Assessment of the video call quality. Possible values are:

Good
Poor
Unknown

Requirements: This requires

The Collaboration Experience license.
Configured inbound connectors.
macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the video quality is poor, end-users might experience lags in the video display. Assessment of the video quality is based on multiple metrics, like jitter, frame rate... See more details on the related documentation.

Namespace connection

The connections namespace contains a set of tables which allow troubleshooting connections-related issues along three dimensions: binary/ application, device (incl. location), and destination (incl. location). The tables contain sampled events with data and metrics about network connections initiated by an application on the device of the user. Please note: Connections events are only available for devices with Collectors that report "Infinity only".

events

events are sampled events.

events are associated to binary, device, user, application, network_application

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: The duration of the time bucket. Requirements: Exclusive to Nexthink Infinity

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

destination.country

string

Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL.

destination.datacenter_region

string

Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:

the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.

destination.domain

string

Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization . Details: The destination domain name is 'multiple domain names', if a binary establishes multiple connections to the same destination with different domain names. The destination domain name is NULL, if the Collector did not report a domain name or if a binary establishes 512 or more connections within one time bucket.

destination.ip_address

ipAddress

IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. The destination IP address is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.ip_subnet

ipAddress

Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. The destination subnet address is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.owner

string

Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:

Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.

destination.port

numeric

Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The destination port is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.type

enumeration

Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types: datacenter, internet, and intranet. The destination type is NULL, if a binary establishes 512 or more connections within one time bucket.

end_time

datetime

Bucket end: Time bucket's end time and date. Requirements: Exclusive to Nexthink Infinity

establishment_time

duration

Connection RTT: Average round trip time of the TCP connection establishment. Requirements: Exclusive to Nexthink Infinity Details: Average round trip time for all established connections. The round trip time is measured between sending the SYN (synchronize) message and receiving the SYN-ACK (synchronize-acknowledge) message from the remote party during the TCP connection establishment, a 3-way handshake.

failed_connection_ratio

float

Failed connection ratio: The ratio of all failed TCP connections over all attempted TCP connections i.e., all established and failed TCP connections. Requirements: Exclusive to Nexthink Infinity Details: When aggregating the data, the average is weighted with number of attempted connections i.e., the sum of failed and established TCP connections.

incoming_traffic

bytes

Incoming traffic: Bytes received by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes received by the application include the traffic from all TCP connections.

ip_version

enumeration

IP version: The Internet Protocol (IP) version used for this connection: IPv4 or IPv6. Requirements: Exclusive to Nexthink Infinity Details: The IP version is NULL, if a binary establishes 512 or more connections within one time bucket.

number_of_alive_connections

long

Alive connections: The number of connections that were established in a previous time bucket and continue into the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Alive connections may end in the current time bucket or continue into the next time bucket.

The system counts alive connections as successful.

number_of_attempted_connections

long

Attempted connections: The number of TCP connections a process tried to establish in a bucket. Requirements: Exclusive to Nexthink Infinity Details: Attempted connections are the sum of established and failed TCP connections in a bucket.

number_of_connections

long

Total number of connections: The total number of failed and successful connections. Requirements: Exclusive to Nexthink Infinity

number_of_established_connections

long

Established connections: The number of connections that have been established in the current time bucket. Requirements: Exclusive to Nexthink Infinity Details: Established connections may continue into the next time bucket or they might end in the bucket they were established in.

The system counts established connections as successful.

number_of_failed_connections

long

Failed connections: The total number of failed connections. Requirements: Exclusive to Nexthink Infinity Details: Failed connections are calculated as the sum of rejected, no host, and no service connections.

number_of_no_host_connections

long

Failed connections - no host: The number of connections that failed due to the device not reaching the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the destination host when the destination host does not acknowledge the TCP SYN message, for example, the remote party does not exist or a firewall blocks the connection request.

The system counts 'no host' connections as failed connections.

number_of_no_service_connections

long

Failed connections - no service: The number of connections that failed due to the device not reaching the service on the destination host. Requirements: Exclusive to Nexthink Infinity Details: A connection fails to reach the service on the destination host when the destination host acknowledges the initial TCP SYN message by an RST message but no service is bound to the requested port. Note that a firewall protects most personal computers and discards RST messages to prevent port scanning.

The system counts 'no service' connections as failed connections.

number_of_rejected_connections

long

Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: Exclusive to Nexthink Infinity Details: The operating system of the device or a local firewall rejects an outgoing connection.

The system counts rejected connections as failed connections.

number_of_successful_connections

long

Successful connections: The total number of successful connections. Requirements: Exclusive to Nexthink Infinity Details: The system calculates successful connections as the sum of established and alive connections.

outgoing_traffic

bytes

Outgoing traffic: Bytes sent by the application. Requirements: Exclusive to Nexthink Infinity Details: Bytes sent by the application include the traffic from all TCP and UDP connections.

start_time

datetime

Bucket start: Time bucket's start time and date. Requirements: Exclusive to Nexthink Infinity

transport_protocol

enumeration

Transport protocol: The transport protocol of this connection: TCP or UDP. Requirements: Exclusive to Nexthink Infinity

tcp_events

The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.

tcp_events are sampled events.

tcp_events are associated to binary, device, user, application, network_application

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

destination.country

string

destination.datacenter_region

string

Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:

the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.

destination.domain

string

destination.ip_address

ipAddress

destination.ip_subnet

ipAddress

destination.owner

string

Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:

Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.

destination.port

numeric

destination.type

enumeration

end_time

datetime

Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity

establishment_time

duration

Connection RTT (deprecated): This field has been deprecated. Please use 'connection.event.establishment_time' instead. Requirements: Exclusive to Nexthink Infinity

incoming_traffic

bytes

Incoming traffic (deprecated): This field has been deprecated. Please use 'connection.event.incoming_traffic' instead. Requirements: Exclusive to Nexthink Infinity

ip_version

enumeration

IP version (deprecated): This field has been deprecated. Please use 'connection.event.ip_version' instead. Requirements: Exclusive to Nexthink Infinity Details: The IP version is NULL, if a binary establishes 512 or more connections within one time bucket.

number_of_alive_connections

long

Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_connections

long

Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_established_connections

long

Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_failed_connections

long

Failed connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_failed_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_no_host_connections

long

Failed connections - no host (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_host_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_no_service_connections

long

Failed connections - no service (deprecated): This field has been deprecated. Please use 'connection.event.number_of_no_service_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_rejected_connections

long

Failed connections - rejected (deprecated): This field has been deprecated. Please use 'connection.event.number_of_rejected_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_successful_connections

long

Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity

outgoing_traffic

bytes

Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity

start_time

datetime

Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity

udp_events

The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.

udp_events are sampled events.

udp_events are associated to binary, device, user, application, network_application

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration (deprecated): This field has been deprecated. Please use 'connection.event.bucket_duration' instead. Requirements: Exclusive to Nexthink Infinity

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

destination.country

string

destination.datacenter_region

string

Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:

the regions as provided by the data center owner, if destination.type equals 'datacenter'
NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.

destination.domain

string

destination.ip_address

ipAddress

destination.ip_subnet

ipAddress

destination.owner

string

Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:

Owner of the autonomous system for destinations of type 'internet'
Operator of the data center for destinations of type 'datacenter'
'Intranet' for destinations of type 'intranet'
The destination owner is NULL, if the destination type is NULL.

destination.port

numeric

destination.type

enumeration

end_time

datetime

Bucket end (deprecated): This field has been deprecated. Please use 'connection.event.end_time' instead. Requirements: Exclusive to Nexthink Infinity

ip_version

enumeration

number_of_alive_connections

long

Alive connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_alive_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_connections

long

Total number of connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_established_connections

long

Established connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_established_connections' instead. Requirements: Exclusive to Nexthink Infinity

number_of_successful_connections

long

Successful connections (deprecated): This field has been deprecated. Please use 'connection.event.number_of_successful_connections' instead. Requirements: Exclusive to Nexthink Infinity

outgoing_traffic

bytes

Outgoing traffic (deprecated): This field has been deprecated. Please use 'connection.event.outgoing_traffic' instead. Requirements: Exclusive to Nexthink Infinity

start_time

datetime

Bucket start (deprecated): This field has been deprecated. Please use 'connection.event.start_time' instead. Requirements: Exclusive to Nexthink Infinity

Namespace connectivity

Connectivity events offers details about IP networking performance. It can be used to detect and diagnose networking issues such as misconfigurations, poor Wi-Fi signal strength and other issues affecting employees in particular offices or when working from home. Useful trend data can also be obtained using this table.

events

Table collecting performance metrics and attributes specific to a device's connectivity.

events are sampled events.

events are associated to device

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: Duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

end_time

datetime

Bucket end: End time of the bucket.

primary_physical_adapter.dns_ips

ipAddressArray

List of DNS servers: List of DNS server IP addresses set for the primary physical network adapter.

primary_physical_adapter.gateway_ips

ipAddressArray

List of gateways: List of gateway IP addresses set for the primary physical network adapter.

primary_physical_adapter.local_ips

ipAddressArray

List of local IPs: List of local IP addresses set for the primary physical network adapter.

primary_physical_adapter.type

enumeration

Network adapter type: Type of the primary network adapter:

WiFi
Ethernet
Bluetooth

start_time

datetime

Bucket start: Start time of the bucket.

wifi.band

enumeration

WiFi band (preview): The WiFi frequency band used:

wifi_900MHz
wifi_2dot4GHz
wifi_3dot65GHz
wifi_5GHz

Details: The WiFi frequency bands:

wifi_900MHz: 900 MHz
wifi_2dot4GHz: 2.4 GHz
wifi_3dot65GHz: 3.65 GHz
wifi_5GHz: 5 GHz

wifi.bssid

string

WiFi BSSID: The physical address of the access point or wireless router used to connect to the WiFi. Requirements: By default, Collector does not report the BSSID. Reporting has to be enabled with the WiFi network Collector configuration parameter.

Windows

wifi.channel_id

integer

WiFi channel ID: The channel ID of the WiFi used.

wifi.channel_width

integer

WiFi channel width: Width of the used WiFi channel in MHz.

macOS

wifi.noise_level

integer

WiFi noise level: Average WiFi noise level in dBm. Details: The WiFi noise is a negative number. The lower, the better. A noise level below -80 dBm is considered good.

macOS

wifi.p5_signal_strength

integer

WiFi p5 signal strength: 5th percentile of the RSSI. During the 15minutes period, the rssi was 95% of the time equal or larger than the receive value. Details: 5th percentile of the signal strength in dBm.

wifi.physical_layer_protocol

enumeration

WiFi physical layer protocol: The WiFi protocol used. Details: The possible values based on the IEEE 802.11 protocols:

802_11a
802_11b
802_11g
802_11n
802_11ac
802_11ad
802_11ax

wifi.receive_rate

integer

WiFi receive rate: Receive rate for the WiFi adapter in Mbit/sec.

Windows

wifi.signal_strength

integer

WiFi signal strength: Average WiFi signal strength in dBm. Details: The WiFi signal strength (RSSI) is a negative number. The higher (closer to 0), the better. A signal strength above -60 dBm is considered good.

wifi.ssid

string

WiFi SSID: The WiFi network name (SSID). Requirements: By default, Collector does not report the SSID. Reporting has to be enabled with the WiFi network Collector configuration parameter.

Windows

wifi.transmission_rate

integer

WiFi transmission rate: Transmission rate for the WiFi adapter in Mbit/sec. Details: This metric provides the best understanding of the quality of the WiFi connection. Higher values are better.

Namespace device_performance

The device performance namespace gathers tables that store information related to boots, crashes and other device performance indicators. Querying them allows users to investigate system issues.

boots

The table collecting boots of devices.

boots are punctual events.

boots are associated to device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Boot duration: The duration of the boot.

Windows

number_of_boots

integer

Number of boots: The number of device boots.

time

datetime

Time: The date and time of the boot.

type

enumeration

Type: The type of the boot. Possible values are:

fast_startup
full_boot

events

The table collecting performance metrics and attributes specific to a device.

events are sampled events.

events are associated to device

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: The duration of the bucket.

cached_memory

bytes

Cached memory: The average amount of RAM used for caching and that can be freed up without writing it to the storage first. A higher value indicates that the operating system is optimizing access to more content that otherwise would be available from slower storage. Details: Low value (below 1GB) can signal that the system could benefit from more memory.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

cpu_interrupt_usage

float

CPU usage by interrupts: The average share of time while the processor needs to handle hardware interrupts. These interrupts have higher priority than applications and other tasks and a high value could signal potential hardware or driver issues, some applications competing for shared hardware resources. Details: Usually should be below 2% and anything above 5% is considered high and often have a perceivable effect on user experience like input lag and degraded responsivity.

Windows

cpu_queue_length

integer

CPU queue length: The average CPU queue length indicates how many threads are waiting for their turn to get execution time on one of the available logical processors during the observed period of time. Details: Values higher than the double of available logical processors for an extended period of time signal that the workload could benefit from a CPU with higher core count and better multi-threading capabilities.

Windows

cpu_usage

float

CPU usage: The average of the total CPU usage of all logical processors for the time period. Maximum value is 100% * number of logical processors available in the system. Details: Suitable for sizing purposes. For example, how many vCPUs would be required if this workload was about to move to a remote desktop?

disk_queue_length

float

Queue length of the system drive: The average number of storage input and output tasks waiting to be executed on the system drive. Details: A high number indicates slow storage devices, when applications might have low performance due to waiting for storage access. Anything above 1 is usually to be avoided.

Windows

disk_read_latency

duration

Read latency of the system drive: The average time the operating system and applications wait for read tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average disk latency should be no more than 10 milliseconds, and 20 milliseconds during peak time.

Windows

disk_write_latency

duration

Write latency of the system drive: The average time the operating system and applications wait for write tasks to be queued and executed on the system drive. Details: While latency is heavily dependent on the type of storage device used, the best practices recommend that on average the disk latency should be no more than 10 milliseconds and 20 milliseconds during peak time.

Windows

duration_with_high_cpu_interrupt_usage

duration

Duration with high CPU interrupt usage: The duration with high CPU interrupt usage, calculated based on number of samples above the 5% threshold and a sampling frequency of 30 seconds.

Windows

duration_with_medium_cpu_interrupt_usage

duration

Duration with medium CPU interrupt usage: The duration with medium CPU interrupt usage. Calculated based on number of samples above 2% threshold and a sampling frequency of 30 seconds.

Windows

end_time

datetime

Bucket end: The end time of the bucket.

free_memory

bytes

Free memory: The additional average amount of RAM available for applications or the operating system. Details: What is considered a healthy amount of free memory depends on the workload (how bursty the memory requirements are) and can greatly vary. Less then 10% of the installed memory is generally considered as a potential bottleneck.

gpu_1_name

string

Name of the first GPU: The full name of the first GPU returned by the OS.

gpu_1_usage

float

GPU usage (1st GPU): Shows if applications are benefitting from the acceleration capabilities of the first GPU. Details: High, continued usage (80 to 90%) can signal the GPU being a bottleneck.

gpu_2_name

string

Name of the second GPU: The full name of the second GPU returned by the OS.

gpu_2_usage

float

GPU usage (2nd GPU): Shows if applications are benefitting from GPU acceleration. High continued usage (80 to 90%) can signal the GPU being a bottleneck. Details: High continued usage (80 to 90%) can signal the GPU being a bottleneck.

installed_memory

bytes

Installed memory: The total size of the RAM physically installed in the device.

memory_swap_rate

bytes

Bytes wrote to swap memory per second: The speed that content is being written to disk to free up memory. Details: Continued frequent spikes can signal that the memory is a bottleneck for running the given tasks. It can indicate periods of lower performance.

memory_swap_size

bytes

Swap memory size: The average size of the swap file being actively utilized by the operating system. This can impact the amount of available storage for other applications. Details: Continued high values can indicate slower performance in general. What is considered a high value is workload dependent. Having more than 5GB of swap storage is usually considered excessive. As a best practice, the storage should be able to accommodate as much swap space as the amount of installed physical memory to able to support heavier then usual workloads.

non_paged_pool_memory

bytes

Non-paged pool memory: The amount of memory used by the operating system kernel and drivers that must remain in memory all the time. Details: A high increasing value shows a kernel or driver-level memory leak.

Windows

non_system_drive_capacity

bytes

Non system drive capacity: The total size of all non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

non_system_drive_free_space

bytes

Non system drive free space: The amount of space available on all of the non-system drives. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more then 25% free space available most of the time. The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

non_system_drive_usage

bytes

Non system drive usage: The amount of used space on all of the non-system drives. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

normalized_cpu_usage

float

Normalized CPU usage: The average CPU usage on a 0 to 100% scale for the time period. Indicates how much of the time the CPU is busy. Details: Continued 80 to 90% or higher value indicates if the CPU is a bottleneck for the workload. It does not consider the clock speed itself and will show high utilisation even if in theory the CPU could run at higher speeds but it is in fact (thermally) throttled.

number_of_logical_processors

integer

Number of logical CPU cores: The number of logical CPUs available for the operating system to execute tasks simultaneously. Details: Based on number of CPUs, their core count and their multi-threading capability.

paged_pool_memory

bytes

Paged pool memory: The amount of memory used by the operating system kernel and drivers that can potentially be written to storage if needed. Details: A high increasing value shows a kernel or driver-level memory leak.

Windows

read_operations_per_second

integer

Read operations per second: The total number of read operations per second, across all physical storage available on the device. Details: Useful for understanding the intensity of read operations that the workflow requires when moving workloads between physical devices or to virtual machines.

Windows

start_time

datetime

Bucket start: The start time of the bucket.

system_drive_capacity

bytes

System drive capacity: The total capacity of the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays the data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

system_drive_free_space

bytes

System drive free space: The free space on the system drive. Details: The best practices recommend to leave 10 to 20% of storage free for spinning drives, and for not only better performance but also longevity SSDs should have more than 25% free space available most of the time. The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays the data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

system_drive_usage

bytes

System drive usage: The amount of used space on the system drive. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

used_memory

bytes

Used memory: The average amount of RAM actively used by the applications and the operating system. Details: If the operating system needs to free up some memory (for example, for other applications taking priority or getting in the foreground) the content is written to disk.

write_operations_per_second

integer

Write operations per second: The total number of write operation per second across all physical storage available on the device. Details: Useful for understanding the intensity of write operations that the workflow requires when moving workloads between physical devices or to virtual machines.

Windows

hard_resets

hard_resets are punctual events.

hard_resets are associated to device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_hard_resets

integer

Number of hard resets: The number of hard resets.

time

datetime

Time: The date and time of the crash.

system_crashes

The table collecting the system crashes of the devices.

system_crashes are punctual events.

system_crashes are associated to device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

error_code

long

Error code: The error code for system crashes.

Windows

error_code_hexadecimal

string

Error code in hexadecimal: The hexadecimal error code for system crashes.

Windows

label

string

Label: The error label for system crashes.

Windows

number_of_system_crashes

integer

Number of system crashes: The number of system crashes.

time

datetime

Time: The date and time of the system crash.

Namespace dex

Querying the DEX score table gives an overview of digital employee experience for all employees or a specific subset of employees. For example, you can query DEX scores for specific locations, devices with a specific operating system, and other parameters.

application_scores

application_score

application_scores are punctual events.

application_scores are associated to device, user, application

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

node.score_impact

float

Score impact: The estimated decrease in technology score of a node of the application impact score structure. Use it with the field application_score.node.type to specify which node impact score you are targeting.

node.type

enumeration

Node type: The type of a node of the application score structure. Use it with the field application_score.node.value to specify which node you are targeting for the score computation. Details: The possible values are:

Page_loads: returns the page load score of an application,
Transactions: returns the transaction score of an application,
Web_reliability: returns the web reliability score of an application,
Crashes: returns the crash score of an application,
Freezes: returns the freeze score of an application,
Application: returns the score of an application.

Refer to the DEX score documentation for more information.

node.value

float

Node score: The score of a node of the application score structure. Use it with the field application_score.node.type to specify which node score you are targeting. Details: It is computed based on the metric corresponding to the application_score.node.type specified in the query:

Page_loads: based on the average value of the load time, for example field perceived_duration divided by field perceived_count ),
Transactions: based on the average value of the field transaction.duration ,
Web_reliability: based on the sum of web errors (field number_of_errors ),
Crashes: based on the sum of execution crashes (field number_of_crashes ),
Freezes: based on the sum of execution freezes (field number_of_freezes ),
Application: based on all the above metrics.The value is between 0 and 100 and corresponds to:
0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

score_computation_approximation

enumeration

Score computation approximation: This indicates whether an approximation related to the device or its context influenced the computation of the score. The possible values are:

unknown
none
multi_device
multi_context

When the device or context changes, this field will indicate that the score cannot be associated beyond the user to device and context. Details: Approximations may arise from scenarios such as user operating multiple devices at the same time or changes in the device context within an hour, such as change in location. See here for more information: FAQ

time

datetime

Time: The time of the DEX application score event.

scores

A table of the DEX score.

scores are punctual events.

scores are associated to device, user

Field

Type

Description

Supported platforms

applications.score_impact

float

Applications score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

applications.value

float

Applications score: The Applications score is based on hard metrics around applications' performance and reliability.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.score_impact

float

Collaboration score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.teams_audio_quality_score_impact

float

Teams (collaboration) - audio quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.teams_audio_quality_value

float

Teams (collaboration) - audio quality score: The Teams audio quality score is based on the number of calls with poor audio quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The system computes the Teams audio quality score based on the count of virtual meeting events with poor audio quality. For example, the field audio.quality is equal to POOR. The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.teams_score_impact

float

Teams (collaboration) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.teams_value

float

Teams (collaboration) score: The Teams score is based on hard metrics around the video and audio quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.teams_video_quality_score_impact

float

Teams (collaboration) - video quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.teams_video_quality_value

float

Teams (collaboration) - video quality score: The Teams video quality score is based on the number of calls with poor video quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The system computes the Teams video quality score based on the count of virtual meeting events with poor video quality. For example, the field video.quality is equal to POOR. The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.value

float

Collaboration score: The Collaboration score is based on hard metrics around collaboration applications such as Zoom or Teams.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The value is be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.zoom_audio_quality_score_impact

float

Zoom (collaboration) - audio quality score impact: The Zoom audio quality score is based on the number of calls with poor audio quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The system computes the Zoom audio quality score based on the count of virtual meeting events with poor audio quality. For example, field audio.quality is equal to POOR.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.zoom_audio_quality_value

float

Zoom (collaboration) - audio quality score: The Zoom audio quality score is based on the number of calls with poor audio quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.zoom_score_impact

float

Zoom (collaboration) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.zoom_value

float

Zoom (collaboration) score: The Zoom score is based on hard metrics around video and audio quality.

The score represents the level of digital experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

collaboration.zoom_video_quality_score_impact

float

Zoom (collaboration) - video quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

collaboration.zoom_video_quality_value

float

Zoom (collaboration) - video quality score: The Zoom video quality score is based on the number of calls with poor video quality.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The system computes the Zoom video quality score based on the count of virtual meeting events with poor video quality. For example, field video.quality is equal to POOR.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

endpoint.CPU_interrupt_usage_score_impact

float

CPU interrupt usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

Windows

endpoint.CPU_interrupt_usage_value

float

CPU interrupt usage score: The CPU interrupt usage score is based on the amount of CPU interrupts over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU interrupt usage score based on the value of the field cpu_interrupt_usage, which is highlighted when applications compete for shared hardware CPU resources.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

Windows

endpoint.CPU_usage_score_impact

float

CPU usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.CPU_usage_value

float

CPU usage score: The CPU usage score is based on the amount of CPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the CPU usage score based on the value of the field normalized_cpu_usage, which is the average percentage of the CPU usage across all logical cores.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.GPU_1_usage_score_impact

float

GPU 1 usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.GPU_1_usage_value

float

GPU 1 usage score: The GPU 1 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 1 usage score based on the value of the field gpu_1_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.GPU_2_usage_score_impact

float

GPU 2 usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.GPU_2_usage_value

float

GPU 2 usage score: The GPU 2 usage score is based on the amount of GPU usage over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the GPU 2 usage score based on the value of the field gpu_2_usage, which is the average percentage of the GPU usage.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.boot_speed_score_impact

float

Boot speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

Windows

endpoint.boot_speed_value

float

Boot speed score: The boot speed score is based on the duration of boot events. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the boot speed score based on the value of the field boot.duration , which is the time between powering on a device and the display of the sign-in screen.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

Windows

endpoint.device_performance_score_impact

float

Device performance score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.device_performance_value

float

Device performance score: The device performance score is based on hard metrics around CPU usage, GPU usage, memory usage, and system free space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.device_reliability_score_impact

float

Device reliability score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.device_reliability_value

float

Device reliability score: The Device reliability score is based on hard metrics regarding system crashes and hard resets.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.device_responsiveness_score_impact

float

Device responsiveness score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.device_responsiveness_value

float

Device responsiveness score: The Device responsiveness score is based on the delay between a user action (e.g., moving the mouse, pressing a key, etc.) and the OS acting upon it.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the amount of time per hour with noticeable input delay for the user (fields duration_with_high_user_input_delay, duration_with_medium_input_delay ).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.disk_queue_length_score_impact

float

Disk queue length score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

Windows

endpoint.disk_queue_length_value

float

Disk queue length score: The disk queue length score is based on the number of disk tasks waiting to be executed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the disk queue length score based on the value of the field disk_queue_length, which is the number of storage input and output tasks waiting to be executed on the system drive.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

Windows

endpoint.hard_reset_score_impact

float

Hard reset score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.hard_reset_value

float

Hard reset score: The Device responsiveness score is based on the number of hard resets.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the field number_of_hard_resets , which captures abrupt stops of a device caused by pressing the reset button, power failures or crashes.The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.logon_speed_score_impact

float

Logon speed impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

Windows

endpoint.logon_speed_value

float

Logon speed score: The Logon speed score is based on the duration of logon events.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the value of the field time_until_desktop_is_visible , which is the number of seconds between the user logging on and the desktop being shown.The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

Windows

endpoint.memory_swap_rate_score_impact

float

Memory swap rate score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.memory_swap_rate_value

float

Memory swap rate score: The memory swap rate score is based on the speed at which memory is written from RAM to the disk to free up memory. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap rate score based on the value of the field memory_swap_rate, which is the average speed at which memory is written to the swap file.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.memory_swap_size_score_impact

float

Memory swap size score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.memory_swap_size_value

float

Memory swap size score: The memory swap size score is based on the amount of space used by the operating system to move application data from RAM to the disk. A score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory swap size score based on the value of the field memory_swap_size, which is the average amount of disk space the operating system allocates to store the state of less frequently used applications from RAM to the disk.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.memory_usage_score_impact

float

Memory usage score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.memory_usage_value

float

Memory usage score: The memory usage score is based on the amount of RAM over time. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the memory usage score based on the value of the field free_memory divided by the value of the field installed_value, which measures the average percentage of free RAM.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.network_quality_score_impact

float

Network quality score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.network_quality_value

float

Network quality score: The network quality score is based on hard metrics around the Wi-Fi signal strength, download speed, and upload speed. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.os_activation_score_impact

float

OS activation score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

Windows

endpoint.os_activation_value

float

OS activation score: The OS activation score is based on the number of devices used by the users that do not have an activated OS.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the count of devices operated by the user with a non-activated operating system (i.e., field operating_system.is_activated is equal to False).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

Windows

endpoint.score_impact

float

Endpoint score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_performance_score_impact

float

Software performance impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_performance_value

float

Software performance score: The Software performance score is based on hard metrics regarding software freezes occurring across the devices.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.software_performance_with_gui_score_impact

float

Software performance (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_performance_with_gui_value

float

Software performance (with GUI) score: The Software performance score is based on freezes of binaries with a Graphical User Interface.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the execution freezes (field number_of_freezes ) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.software_performance_without_gui_score_impact

float

Software performance (without GUI) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_performance_without_gui_value

float

Software performance (without GUI) score: The Software performance score is based on freezes of binaries without a Graphical User Interface.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the execution freezes (field number_of_freezes ) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.software_reliability_score_impact

float

Software reliability impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_reliability_value

float

Software reliability score: The Software reliability score is based on hard metrics regarding software crashes occurring across the device.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.software_reliability_with_gui_score_impact

float

Software reliability (with GUI) impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_reliability_with_gui_value

float

Software reliability (with GUI) score: The Software reliability score is based on crashes of binaries with a Graphical User Interface.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the execution crashes (field number_of_crashes ) of binaries with a graphical user interface (i.e., field has_user_interface is equal to TRUE).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.software_reliability_without_gui_score_impact

float

Software reliability (without GUI) score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.software_reliability_without_gui_value

float

Software reliability (without GUI) score: The Software reliability score is based on crashes of binaries without a Graphical User Interface.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the execution crashes (field number_of_crashes ) of binaries without a graphical user interface (i.e., field has_user_interface is equal to false).The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.system_crash_score_impact

float

System crash score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.system_crash_value

float

System crash score: The Device responsiveness score is based on the number of system crashes.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the field number_of_system_crashes , which captures crashes of a device such as Blue Screen of Death (BSOD) on Windows.The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.system_free_space_score_impact

float

System free space score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.system_free_space_value

float

System free space score: The system free space score is based on the amount of free system disk space. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the system free space score based on the value of the field system_drive_free_space, which is the amount of free space available on the system drive.The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.value

float

Endpoint score: The Endpoint score is based on hard metrics focused on device performance and reliability.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.virtual_session_lag_score_impact

float

Virtual session lag impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.virtual_session_lag_value

float

Virtual session lag score: The Virtual session lag score is based on the network latency for virtual sessions.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: It is computed based on the value of the field average_network_latency , which measures the lag for virtual sessions.The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

endpoint.wifi_download_speed_score_impact

float

WiFi download speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.wifi_download_speed_value

float

WiFi download speed score: The Wi-Fi download speed score is based on the receiving rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi download speed score based on the value of the field receive_rate, which is the transmission rate of the Wi-Fi adapter. The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experience

The system computes it once per day and it is based on data from the last 7 days. Refer to the DEX score documentation for more information.

endpoint.wifi_signal_strength_score_impact

float

WiFi signal strength score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.wifi_signal_strength_value

float

WiFi signal strength score: The Wi-Fi signal strength score is based on the signal quality of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi signal strength score based on the value of the field signal_strength, which is the Wi-Fi signal strength or Received Signal Strength Indicator (RSSI).The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes the value once per day and it is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

endpoint.wifi_upload_speed_score_impact

float

WiFi upload speed score impact: Estimated decrease in the Technology component of the DEX score due to issues monitored by this node.

endpoint.wifi_upload_speed_value

float

WiFi upload speed score: The Wi-Fi upload speed score is based on the transmission rate of the Wi-Fi network. The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location. Details: The system computes the Wi-Fi upload speed score based on the value of the field transmission_rate, which is the transmission rate for the Wi-Fi adapter. The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experience

The system computes the value once per day and it is based on data from the last 7 days. Refer to the DEX score documentation for more information.

score_computation_approximation

enumeration

Score computation approximation: This indicates whether an approximation related to the device or its context influenced the computation of the score. The possible values are:

unknown
none
multi_device
multi_context

sentiment.value

integer

Sentiment score: The Sentiment score is based on survey data collected via a sentiment campaign.

A score represents the level of satisfaction with IT.

Details: The value could be between 0 and 100 and corresponds to:

0-30: Dissatisfied employee
31-70: Not dissatisfied, nor satisfied employee
71-100: Satisfied employeeIt is computed once per day and is based on survey data from the last 30 days.

More info from the documentation

technology.value

float

Technology score: The Technology score is based on hard metrics for endpoints, applications, and collaboration solutions.

A score represents the level of digital experience for the combination of a user, device, and user's context (e.g., location).

Details: The value could be between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceIt is computed once per day and is based on data from the last 7 days.

More info from the documentation

time

datetime

Time: The time of the DEX metric.

value

float

DEX score: The Digital Employee Experience (DEX) score is based on hard metrics and soft metrics.

The score represents the level of digital employee experience for the combination of the following factors: user, device, and user's context, such as employee location.

Details: The value is between 0 and 100 and corresponds to:

0-30: Frustrating experience
31-70: Average experience
71-100: Good experienceThe system computes it once per day and is based on data from the last 7 days.

Refer to the DEX score documentation for more information.

Namespace execution

The execution namespace consists of two tables: crashes and events. The crashes table contains instances of executables crashing. The execution events table stores information about the performance of executables in 15-minute or 24-hour time blocks.

crashes

The table collecting crashes of a running process.

crashes are punctual events.

crashes are associated to binary, device, user, application

Field

Type

Description

Supported platforms

binary_path

string

Binary path: The path to the crashing binary.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

crash_on_start

bool

Crashed on start: Indicates if the binary crashed immediately after launch. Details: Yes if the process crashes within the first second.

number_of_crashes

integer

Number of crashes: The number of crashes of the same binary that happened within one minute. Details: Collector creates only one event if the same binary crashes multiple times within one minute.

time

datetime

Time: The date and time when the crash happened.

events

The table collecting performance metrics and attributes specific to a process execution.

events are sampled events.

events are associated to user, binary, device, application

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: The duration of the bucket.

connection_establishment_time

duration

Connection establishment time: The average round trip time during TCP connection establishment. Requirements: TCP connections only Details: The average RTT for all established connections. The round trip time is measured between sending the SYN message and receiving the SYN-ACK message from the remote party during the TCP connection establishment (3-way handshake).

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

cpu_time

duration

CPU time: The sum of the CPU time of all the underlying processes during this bucket. Details: The CPU time can be much higher than the bucket duration as multiple processes can run in parallel on several CPU cores.

end_time

datetime

Bucket end: The end time of the bucket.

execution_duration

duration

Execution duration: The duration of the process in this bucket. Details: It represents the total time for which at least one instance of the process was running.

focus_time

duration

Focus time: The amount of time any window related to this execution was in focus. Details: A window is in 'focus' when it is selected to receive input from the user. Only one window has the focus at any point in time.

The focus time of all windows related to this execution is summed up to a maximum that equals the bucket duration.

incoming_throughput

float

Incoming throughput: The average download speed in Mbit/sec. Requirements: TCP connections only

incoming_traffic

bytes

Incoming traffic: The amount of application traffic received. Requirements: TCP connections only

memory

bytes

Memory used: The average memory in bytes. Details: This metric is based on the memory used by all processes running the same binary during this bucket.

When aggregating the data, the average is weighted with the execution duration.

number_of_established_connections

integer

Established connections: The number of connections that have been established in this bucket.

number_of_freezes

integer

Number of freezes: The number of execution freezes. Details: The sampling of unresponsive applications every 30 second might lead to missed execution freezes.

number_of_logical_processors

integer

Logical processors: The number of logical processors on the device. Details: Use this metric to calculate normalized CPU usage by dividing through the number of logical processors.

number_of_no_host_connections

integer

Failed connections - no host: The number of connections that failed because the device cannot reach the destination host. Requirements: TCP connections only Details: A connection fails with 'no host' when the destination host (remote party) does not acknowledge the TCP SYN message. For example, the remote party does not exist or a firewall blocks the connection request.

number_of_no_service_connections

integer

Failed connections - no service: The number of connections that failed because the device cannot reach the service on the destination host. Requirements: TCP connections only Details: A connection fails with 'no service' when the destination host (remote party) acknowledged the initial TCP SYN message by an RST message. For example, the remote party exists, but no service is bound to the request port.

Note that a firewall protects most personal computers and discards RST messages to prevent effective port scanning.

number_of_page_faults

long

Page faults: The total number of page faults. Details: A page fault happens, when a process tries to access a part of the memory that has not yet been loaded into memory. Page faults degrade the performance of the execution and the system.

Windows

number_of_rejected_connections

integer

Failed connections - rejected: The number of outgoing connections that have been rejected on the device of the user. Requirements: TCP connections only Details: The operating system of the device or a local firewall can reject an outgoing connection on the device.

number_of_stopped_processes

integer

Stopped processes: The total number of processes terminated without error.

outgoing_throughput

float

Outgoing throughput: The average upload speed in Mbit/sec.

outgoing_traffic

bytes

Outgoing traffic: The amount of application traffic sent. Details: This includes the traffic from all TCP and UDP connections.

primary_physical_adapter_type

enumeration

Network adapter type: The type of the primary physical network adapter at the time of this execution. Details: There are three types of physical network adapters: :

WiFi
Ethernet
Bluetooth

start_time

datetime

Bucket start: The start time of the bucket.

total_memory

bytes

Total memory: The total memory of the whole application in bytes. Requirements: Exclusive to Nexthink Infinity. Minimum Collector version: 2024.9 Details: This metric is only available for the process of the main binary (process_hierarchy == main_process). It is the sum of the memory used by all processes with the same main_binary during this bucket. When aggregating the data, the average is weighted with the execution duration.

Namespace package

The package namespace includes information about software products in their distributable form: applications and updates. In addition to the packages and installed_packages tables, it includes two event tables: installations and uninstallations.

packages

A table of packages. A package is a group of files and executables that together constitute a software application.

Field

Type

Description

Supported platforms

first_seen

datetime

First seen: It represents the date and time the package was first detected on the Nexthink platform.

Windows macOS

name

string

Package name: The name of the packages as it is listed in the operating system. Details: The Nexthink platform scans for new packages once per hour. Installation and uninstallation events align with the hourly scans.

Windows macOS

parent_name

string

Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages.

Windows

platform

enumeration

Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:

Windows
macOS

Windows macOS

publisher

string

Package publisher: The name of the company that publishes the software.

Windows macOS

type

enumeration

Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:

Program
Update

Windows macOS

uid

uuid

Package UID: The numerical value that uniquely identifies a package on the Nexthink platform.

Windows macOS

version

string

Package version: The version of the package stored as a String. Details: The type is set as a string because the package version reported by the operating system is not always numerical. This contrasts with binary.version, which consistently follows the x.y.z.t format.

Windows macOS

installations

A table of package installation events.

installations are punctual events.

installations are associated to package, device, user

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

time

datetime

Installation time: The time of the installation event.

uninstallations

A table of package uninstallation events.

uninstallations are punctual events.

uninstallations are associated to package, device, user

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

time

datetime

Uninstallation time: The time of the uninstallation event.

installed_packages

A table of all installed packages on all devices.

installed_packages are associated to device, user, package,

Field

Type

Description

Supported platforms

first_seen

datetime

First seen: It represents the date and time the package was first detected on the Nexthink platform.

Windows macOS

name

string

Windows macOS

parent_name

string

Parent package name: It shows the name of the original package that an update was installed for. Details: Applies only to updates. The field is empty for regular installation packages.

Windows

platform

enumeration

Package platform: The platform to which the operating system belongs for the installed package. Details: Possible values are:

Windows
macOS

Windows macOS

publisher

string

Package publisher: The name of the company that publishes the software.

Windows macOS

type

enumeration

Package type: It shows if the package contains a program or an update to a previously installed package. Details: Possible values are:

Program
Update

Windows macOS

uid

uuid

Package UID: The numerical value that uniquely identifies a package on the Nexthink platform.

Windows macOS

version

string

Windows macOS

Namespace platform

The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'

audit_logs

The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'

audit_logs are punctual events.

Field

Type

Description

Supported platforms

account

string

Account: The name of the account or the API credentials that triggered the action.

custom_trends_logs

The list of all logs associated to custom trends computations. Requires permission 'View platform logs in NQL'.

custom_trends_logs are punctual events.

Field

Type

Description

Supported platforms

details

jsonType

Details: Custom Trends log details.

status

enumeration

Status: The status of the custom trend execution.

time

datetime

Time: The timestamp of the event.

data_export_logs

data_export_log

data_export_logs are punctual events.

Field

Type

Description

Supported platforms

details

jsonType

Details: Data Export log details.

status

enumeration

Status: The status of the data export execution.

time

datetime

Time: The timestamp of the event.

Namespace remote_action

The remote action namespace consists of tables giving details about remote actions, including the configuration data and the remote action executions. Nexthink Remote Actions allows you to execute small scripts on employee devices. It provides several opportunities for the prevention and remediation of employee issues and for gathering additional information from endpoints running Nexthink Collector.

remote_actions

The table of defined remote actions.

Field

Type

Description

Supported platforms

name

string

Name: The name of the remote action. Details: User defined friendly name created through the remote action configuration page. The name of the remote action can be changed after creation and should not be considered as a unique identifier.

nql_id

string

NQL ID: The unique identifier of a remote action. Details: The NQL ID cannot be changed after the initial creation.

source

enumeration

Remote action source: It represents the platform that was used to create the remote action. Details: Possible values:

cloud
finder

Note that cloud references Nexthink Infinity.

executions

The table collecting the executed remote actions.

executions are punctual events.

executions are associated to device, remote_action

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

external_reference

string

External reference: An identifier of the external web application record in reference to which the remote action was executed. Details: The field could contain the values such as the ticket identifier of the ITSM ticket.

external_source

string

External source: Name of the external system, outside of Nexthink, from where the remote action was triggered. Details: External source contains the name of the external system which either used Nexthink product or directly the API to trigger the remote action.

inputs

string

Inputs: A list of the inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point it was triggered. These inputs are used by the remote action to influence how it behaves.

internal_source

string

Internal source: Displays the name of the feature from which the remote action was triggered. Possible values: Amplify, Workflow, Investigation, Device view, or blank for no value.

message_uuid

string

Message UUID: The unique identifier of the remote action execution. Details: The message UUID is used to identify a single remote action execution and is generated when a remote action is triggered.

number_of_executions

long

Number of executions: The number of times the remote execution attempted to run on the device.

outputs

string

Outputs: A list of outputs collected by the remote action execution.

purpose

enumeration

Purpose: The purpose of the remote action defined in the configuration. Details: The purpose is part of the remote action configuration and describes whether the remote action is collecting data, remediating an issue or performing both functions. Possible values:

data_collection
remediation
both

request_id

string

Request ID: The unique identifier for the request that created this remote action execution. Details: The request ID is generated and linked to individual remote action executions when a remote action is triggered against one or multiple devices. This field can be used as a method of grouping remote action executions

request_time

datetime

Request time: The date and time when the remote action execution was triggered.

status

enumeration

Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not. Possible values:

in_progress
expired
failure
success
no_script
cancelled
old_collector
waiting_on_device

status_details

string

Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit codes from the remote action.

time

datetime

Time: The date and time the remote action execution was last updated.

trigger_method

enumeration

Trigger method: Displays the mode of trigger used to start the remote action execution. Details: Possible values:

manual: the remote action is executed on manually selected devices
automatic: the remote action is executed on a recurring basis based on a centrally-managed schedule
automatic_local_schedule: the remote action is executed on a recurring basis based on a schedule on the endpoint
API: the remote action is executed programmatically using the Remote Actions API on selected devices
workflow: the remote action is executed as part of a Nexthink workflow

executions_summary

The table collecting the trend of executed remote actions.

executions_summary are sampled events.

executions_summary are associated to remote_action

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

inputs

string

Inputs: A list of inputs provided for the remote action execution. Details: The list of inputs provided for the remote action execution at the point that it was triggered. These inputs are used by the remote action to influence how it behaves.

number_of_executions

long

Number of executions: The number of times the remote execution attempted to run on the device.

purpose

enumeration

data_collection
remediation
both

status

enumeration

Status: The current status of the remote action execution. Details: The status can be used to monitor whether a remote action execution has finished or not. Possible values:

in_progress
expired
failure
success
no_script
cancelled
old_collector
waiting_on_device

status_details

string

Status details: The latest message returned by the remote action execution. Details: The status details field contains the return message and exit code that came back from the remote action.

time

datetime

Time: The date and time when the remote action execution was last updated.

trigger_method

enumeration

Trigger method: The trigger used to start the remote action execution. Details: Possible values:

null
automatic
api
manual

Namespace service

The service namespace is an inventory of critical system components and specialised applications that run in the background on user devices. It allows for efficient status and/or configuration tracking and optimisation to ensure system reliability and security. Please note: This feature is exclusive to Nexthink Infinity.

services

Field

Type

Description

Supported platforms

arguments

string

Arguments: Parameters used for launching the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in arguments might be replaced with ellipses to correlate the same services better. Similarly, paths present in arguments might get tokenised. Eg. they can be matched with same binary paths captured for execution crashes.

Windows

dependency_of

jsonArrayString

Dependency of: List of other services and drivers that depend on this service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service.

Windows

depends_on

jsonArrayString

Depends on: List of services and drivers that the given service depends on. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service.

Windows

description

string

Description: Purpose of the the service as stated by the developer. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence.

Windows

display_name

string

Display name: User friendly name of the service. Requirements: Exclusive to Nexthink Infinity. Details: As reported by the first device running the same service. English version takes precedence.

Windows

module_path

string

Module path: dll module loaded by the main executable. Requirements: Exclusive to Nexthink Infinity.

Windows

name

string

Name: Short name of the Service used for identification. Requirements: Exclusive to Nexthink Infinity.

Windows

path

string

Path: Location of the binary that is executed for the service. Requirements: Exclusive to Nexthink Infinity. Details: Unique ids, hashes contained in the path might be replaced with ellipses to correlate the same services better.

Windows

uid

uuid

Service UID: It represents a numerical value that uniquely identifies a service on the Nexthink platform.

Windows

changes

changes are punctual events.

changes are associated to service, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

field

enumeration

Field: Name of the attribute of the related service that has changed. Requirements: Exclusive to Nexthink Infinity.

Windows

new_value

string

New value: New value of the field that has changed. Requirements: Exclusive to Nexthink Infinity.

Windows

old_value

string

Old value: Previous value of the field that has changed. Requirements: Exclusive to Nexthink Infinity.

Windows

time

datetime

Time: When the change of the value was detected.

Windows

installations

Punctual event, indicating when an service was added or removed to a particular device.

installations are punctual events.

installations are associated to service, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

event_type

enumeration

Installation type: Indicates if the service was installed or uninstalled. (install, uninstall) Requirements: Exclusive to Nexthink Infinity

Windows

time

datetime

Time: When the item was detected to be added or removed.

Windows

installed_services

A table of all installed services on all devices.

installed_services are associated to device, service,

Field

Type

Description

Supported platforms

first_seen

datetime

Service first seen: Service first seen on the given device. Requirements: Exclusive to Nexthink Infinity.

Windows

last_updated

datetime

Service info last updated: When was the last change of the service captured on the given device. Requirements: Exclusive to Nexthink Infinity.

Windows

logon_as

string

Service logs on as: Either one of the main 4 options (Local System, Local Service, Network Service, Per user) or an explicit user. Requirements: Exclusive to Nexthink Infinity. Details: The "per user" startup-type is specific to so called per-user services that are run on user login, for the specific user, in their own session.

Windows

startup_type

enumeration

Service startup type: The startup type (Automatic, Manual, Disabled, or Delayed) defines how and when a Windows service initiates its operation. Requirements: Exclusive to Nexthink Infinity. Details: Automatically started services are launched after the device was booted, while Delayed ones usually wait 120s after the last Automatic service has been started. (Delay period is configurable.) Manual services are launched on-demand.

Windows

Namespace session

The session namespace consists of several events tables related to a user session on a device. The session events table contains all sampled metrics in 15-minute and 24-hour buckets. The others are punctual events linked to a session.

connects

The table collecting connections linked to user sessions.

connects are punctual events.

connects are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_connects

integer

Number of connects: The number of session connects.

session_uid

string

Session UID: The session UID.

time

datetime

Time: The date and time of the connection.

disconnects

The table collecting disconnections linked to user sessions.

disconnects are punctual events.

disconnects are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_disconnects

integer

Number of disconnects: The number of session disconnects.

session_uid

string

Session UID: The session UID.

time

datetime

Time: The date and time of the disconnect.

events

The table collecting performance metrics and attributes specific to both local and remote sessions.

events are sampled events.

events are associated to user, device

Field

Type

Description

Supported platforms

average_network_latency

duration

Average network latency: It indicates how long it took on average for remote access protocol packets to travel from the endpoint to the virtual desktop and back. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine.

Windows

average_rtt

duration

Average RTT: It indicates how long it took on average for the virtual desktop to respond to the user input. Some users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate network connections. Otherwise, start investigating the performance of the virtual desktops.

Windows

bucket_duration

duration

Bucket duration: It represents the timespan over which the metrics were measured and aggregated.

client_ip

ipAddress

Client IP address: The IP address of the device used to access the remote virtual desktop. Requirements: This value is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine. Note that some modern desktop virtualization solutions no longer support this value due to security and network routing restrictions.

Windows

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration_with_high_user_input_delay

duration

Duration with high user input delay: The amount of time the session took longer than 200 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022.

Windows

duration_with_medium_user_input_delay

duration

Duration with medium user input delay: The amount of time the session took longer than 100 milliseconds to respond to a user input. Requirements: The user input delay requires Windows 11 or Window Server 2022.

Windows

end_time

datetime

Bucket end: It represents the date and time at which the data collection ended for the given timespan.

max_network_latency

duration

Maximum network latency: The maximum amount of time it took for the remote access protocol packets to travel from the endpoint to the virtual desktop and back. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for sessions that are accessed remotely through a remote access protocol. Furthermore, this metric requires Nexthink Collector installed on the virtual desktop machine.

Windows

max_rtt

duration

Maximum RTT: The maximum amount of time it took for the virtual desktop to respond to a user input. Users may experience slowness if it exceeds 150 milliseconds. Requirements: This metric is only available for remote desktop sessions that are accessed through the Citrix ICA/HDX remote access protocol. Furthermore, this metric requires Nexthink Collector to be installed on the virtual desktop machine. Details: The session input round trip time combines network performance and performance of the virtual desktop in a single measurement. To diagnose the cause of a high value, you also need to look at the session network latency. If the session latency is also high then you should first investigate the network connections. Otherwise, start investigating the performance of the virtual desktops.

Windows

protocol

enumeration

Protocol: The remote access protocol used to connect to the session. The possible values are:

Citrix - ICA
VMware - Blast
VMware - PCOIP
RDP
Local session
Amazon PCOIP

session_id

long

Session ID: A temporary identifier which is assigned to each user session on a Windows computer. On a macOS device, the session ID represents the program ID of the process that is hosting the session. Details: Typically, only one interactive user is present on a Windows device at any given time. On a virtual desktop, many users may be interacting with the device at the same time. Each user session will get a unique ID assigned when the user logs in. The ID stays with that session until the user logs off. After that, the session ID will be reused for the next user who logs in. Beware that the session ID cannot be used to uniquely identify sessions on the Nexthink platform.

session_uid

string

Session UID: The unique identifier of a session on the Nexthink platform.

start_time

datetime

Bucket start: The start time of the bucket.

user_interaction_time

duration

Interaction time: The time that the user was actively interacting with the session. Details: Collector gathers information when and how long the user was interacting with the computer with the help of a keyboard or a pointing devices. The sum of these interactive periods are reported as a duration.

lifecycle_events

The table collecting all events linked to user sessions.

lifecycle_events are punctual events.

lifecycle_events are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_lifecycle_events

integer

Number of events: The number of session events.

session_uid

string

Session UID: The session UID

time

datetime

Time: The date and time of the lifecycle event.

type

enumeration

Lifecycle event type: The type of lifecycle event. Possible values are:

login
logout
lock
unlock
connect
disconnect

Details: The connect and disconnect events refer to Microsoft Windows' WTSConnected, WTSDisconnected functions. This means that there will be a connection event without a corresponding login event when a user attempts to remotely access a device and establishes a connection but does not finish authentication.

locks

The table collecting locks linked to the user sessions.

locks are punctual events.

locks are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_locks

integer

Number of locks: The number of session locks.

session_uid

string

Session UID: The session UID

time

datetime

Time: The date and time of the lock event.

logins

The table collecting all session logins.

logins are punctual events.

logins are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_logins

integer

Number of logins: The number of logins.

session_uid

string

Session UID: The session UUID

time

datetime

Time: The date and time of the login.

time_until_desktop_is_ready

duration

Time until desktop ready: The number of seconds between the user login and the device is ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.

Windows

time_until_desktop_is_visible

duration

Time until desktop visible: The number of seconds between the last user login and the time the desktop appears.

Windows

logouts

The table collecting all session logouts.

logouts are punctual events.

logouts are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_logouts

integer

Number of logouts: The number of logouts.

session_uid

string

Session UID: The session UUID

time

datetime

Time: The date and time of the logout.

unlocks

The table collecting unlocks linked to user sessions.

unlocks are punctual events.

unlocks are associated to user, device

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

number_of_unlocks

integer

Number of unlocks: The number of session unlocks.

session_uid

string

Session UID: The session UID.

time

datetime

Time: The date and time of the unlock event.

Namespace software_metering

The software metering namespace contains a table that stores software usage to optimize licenses across an organization. This data is collected for the software meters configured in the system.

meter_configurations

meter_configuration

Field

Type

Description

Supported platforms

description

string

Description: The description of a software meter configuration. Details: User-defined through Software metering configuration interface.

The description of the software meter can be changed after creation.

license_type

enumeration

License type: The type of licensing model for the configured software meter. It could be: User-based or Device-based. Details: User-defined through Software metering configuration interface.

The license type of the software meter can be changed after creation.

name

string

Name: The name of a software meter configuration. Details: User-defined through Software metering configuration interface.

Software meter configurations are based on Application Objects
The name of the software meter can be changed after creation and should not be used as a unique identifier.

nql_id

string

NQL ID: The unique identifier of a software meter configuration. Details: NQL ID cannot be changed after initial creation.

events

event

events are punctual events.

events are associated to device, user, application, meter_configuration

Field

Type

Description

Supported platforms

context.location_geo_ip.country

string

Country location: The country in which the device is located at the time of the event.

context.location_geo_ip.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location_geo_ip.state

string

Country subdivision location: The state in which the device is located at the time of the event.

context.location_geo_ip.type

string

Type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

desktop_execution_duration

duration

Execution duration - Desktop: Execution duration of Desktop part. Requirements: The configured software meter should have a desktop part to be populated.

desktop_focus_time

duration

Focus time - Desktop: The amount of time when any window of the software's executables was in focus. Requirements:

Focus time needs to be enabled. The system disables it by default.
It applies only to software meters that include a desktop application.

How to enable focus time metric

end_time

datetime

Bucket end: The end time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC.

start_time

datetime

Bucket start: The start time of the bucket. Details: The bucket for software metering has a resolution of 1 week and always starts at the beginning of the week UTC.

web_focus_time

duration

Focus time - Web: The amount of time when a browser tab is running the software and has the focus. Requirements:

Web usage time needs to be enabled. The system enables it by default.
The configured software meter should have a web part to be populated.

How to enable web usage time metric Details: It is collected via the Nexthink browser plugin.

web_is_used

bool

Webpart usage indicator: It indicates if the user accessed the URLs of the software. It should be used in case Web usage time is disabled for web applications. Details: It is collected via the Nexthink Browser plugin.

Namespace web

The web namespace contains tables that store events, errors, page views and transactions that occur in the business-critical services defined in the tables of the application namespace.

errors

The table collecting errors of defined business-critical services.

errors are sampled events.

errors are associated to binary, device, user, application, page

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the error occurred. Possible values are:

WiFi
Ethernet
Bluetooth

Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

bucket_duration

duration

Bucket duration: The duration of the bucket.

code

integer

Error code: The extended HTTP response status. This is a numerical field denoting the code associated with the error, for example, 404, 401, 601. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

end_time

datetime

Bucket end: The end time of the bucket.

label

string

Error label: The error message as reported by the browser. The web browser reports a wide range of error types that the Nexthink browser extension catches and reports to the Nexthink instance, for example, HTTP 404, net::ERR_TIMED_OUT. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

number_of_errors

integer

Number of errors: The number of web errors recorded within the time bucket. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

start_time

datetime

Bucket start: The start time of the bucket.

url

string

URL: The navigation URL recorded when the error event happened. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

errors_summary

The table collecting errors of defined business-critical services up to 90d

errors_summary are sampled events.

errors_summary are associated to application, page

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the error occurred. Possible values are:

WiFi
Ethernet
Bluetooth

Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

bucket_duration

duration

Bucket duration: The duration of the bucket.

code

integer

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

end_time

datetime

Bucket end: The end time of the bucket.

label

string

number_of_errors

integer

start_time

datetime

Bucket start: The start time of the bucket.

events

The table collecting events of defined business-critical services.

events are sampled events.

events are associated to binary, device, user, application, page

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Usage time: The time spent using the application or key page. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.. Details: The usage time includes both page load time and the time the employee is not interacting with the page at all, as long as the tab is focused. More info from the documentation

end_time

datetime

Bucket end: The end time of the bucket.

start_time

datetime

Bucket start: The start time of the bucket.

events_summary

The table collecting events of defined business-critical services up to 90d

events_summary are sampled events.

events_summary are associated to application, page

Field

Type

Description

Supported platforms

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

end_time

datetime

Bucket end: The end time of the bucket.

start_time

datetime

Bucket start: The start time of the bucket.

page_views

Table collecting page views of defined business-critical services.

page_views are sampled events.

page_views are associated to binary, device, user, application, page

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the navigation occurred. Possible values are:

WiFi
Ethernet
Bluetooth

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

detailed_page_load_time.connect

duration

Connect time: The time spent establishing TCP connection, including secure socket connection, if performed. The connect time metric provides insights into the latency and performance of the connection establishment process. That metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that this metric is not measured for every page view event or subsequent requests within a single browsing session. Once the TCP connection is established, subsequent requests can reuse the existing connection, which eliminates the need for the TCP handshake and reduces the overall latency. More info from the documentation

detailed_page_load_time.dom_content_loading

duration

DOM loaded time: The time it took for a webpage to finish creating its visual structure, known as the render tree. It starts when the necessary styles for the page, known as the CSS Object Model, are ready. The 'DOMContentLoaded' event is triggered before the complete loading of external resources such as images, stylesheets, and scripts. This means that once this event is completed, critical functionality and interactivity become available to users, even if additional resources are still loading in the background. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The timing metric associated with the 'DOMContentLoaded' event includes two properties: 'domContentLoadedEventStart' and 'domContentLoadedEventEnd.' These properties represent the start and end times of the render tree creation process. Optimizing the 'DOMContentLoaded' event can significantly improve the perceived performance of a webpage. Techniques to enhance this metric include minimizing render-blocking resources, lazy loading non-critical resources, optimizing JavaScript execution, and implementing resource caching. More info from the documentation

detailed_page_load_time.dom_processing

duration

DOM processing time: The time it takes for a webpage to finish building its structure and become fully interactive. This process is called constructing the Document Object Model (DOM).This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The complete state, represented by the 'domComplete' property, marks the point when the browser has fully constructed the DOM tree, including any dynamically generated or modified elements. It signifies the completion of the DOM processing phase. Optimizing DOM processing involves techniques like optimizing HTML structure, reducing DOM complexity, optimizing external resources, and improving JavaScript execution. Faster DOM processing leads to quicker rendering and interactivity, enhancing the overall user experience. More info from the documentation

detailed_page_load_time.domain_lookup

duration

DNS lookup time: The time spent on DNS resolution, for example, the time between the browser starting to resolve the domain name and when the resolution is complete. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Note that the this metric is not measured for every request. It is typically measured once per browsing session or connection. More info from the documentation

detailed_page_load_time.load_event

duration

Load event time: The time spent on the page load event. The load event is fired when all resources, including images, scripts, stylesheets, and subframes, have finished loading, and the webpage is fully rendered and ready for user interaction. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When you visit a webpage, the browser needs to download and process various resources like images, scripts, stylesheets, and other elements. The 'loadEventStart' property indicates the point when the browser begins loading these resources.The 'loadEventEnd' property, on the other hand, represents the moment when the webpage has finished loading all the necessary resources and is fully displayed on the screen, ready for you to use. If the load event takes a long time to complete, it could indicate issues such as slow server response, large resource sizes, excessive JavaScript execution, or inefficient resource loading strategies. More info from the documentation

detailed_page_load_time.redirect

duration

Redirect time: The time spent on page redirections. If there are any redirects involved in the navigation, these properties indicate the start and end times of the redirect process. They measure the time taken to complete any HTTP redirects, which occur when a server responds to a request with a redirection status code. This metric contributes to the 'network time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Redirects could happen, for example, when a website has changed its URL or when certain content has been moved. More info from the documentation

detailed_page_load_time.request

duration

Request time: The time it takes to wait for the first byte of the document response. This is the time between when the browser starts requesting the document from the server, and when the browser receives the first by of the response from the server. This metric is the only contributor to the 'backend time' metric. Backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries, or server overload. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

detailed_page_load_time.response

duration

Response time: The elapsed time between the first and last bytes of the response. It measures the efficiency of network communication and contributes to the 'network time' metric. Optimizing response time involves minimizing network latency, using data compression, implementing caching mechanisms, and reducing round trips. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

detailed_page_load_time.secure_connection

duration

TLS time: The time it takes to establish a secure socket connection (TLS handshake) between the browser and the webserver. This metric represents a part of the connection metric. Note that the this metric is not measured for every page view event or subsequent requests within a single browsing session. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

detailed_page_load_time.unload_event

duration

Unload event time: The time spent on the page unload event. An unload event is triggered when the user navigates away from the page or when the page is reloaded. This metric contributes to the 'client time' metric. Requirements: The metric is collected exclusively for hard navigations using the Navigation Timing API. The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

domains_contacted

integer

Number of domains contacted: It indicates the number of unique domain names from which various resources (such as images, scripts, stylesheets, fonts, etc.) are being fetched. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: This metric indicates the level of domain diversity in terms of resource retrieval during the loading process of a web page. These domains can include the application's own domain, as well as domains for third-party resources like analytics scripts, ads, content delivery networks (CDNs), and more. Each unique domain contacted represents a separate server from which the browser needs to fetch resources, and this can impact overall page load times.

end_time

datetime

Bucket end: The date and time of the bucket end.

experience_level

enumeration

Experience level: The user experience level of a navigation evaluated by the extension, based on the defined thresholds. Possible values are:

good
average
frustrating

Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the application configuration menu. More info from the documentation

is_soft_navigation

bool

Soft navigation: It indicates whether a navigation is a hard navigation or soft navigation. Soft navigations refer to navigations within a single-page application, where the browser does not load a new page, as opposed to hard navigations where a webpage is initially loaded. Note that soft navigations are not collected by default and should be enabled on a per-application basis. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

largest_resource_load_time

duration

Largest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: When a user's browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through 'Performance Resource Timing' API.

largest_resource_size

bytes

Size of the largest resource: The size of the largest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.

largest_resource_type

string

Type of the largest resource: The type of the largest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. This metric is collected through 'Performance Resource Timing' API.

largest_resource_url

string

URL of the largest resource: It indicates the URL of the largest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Largest resource' refers to the resource that had the biggest file size to be fully loaded while loading a web page. Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.

longest_resource_load_time

duration

Longest resource duration: It indicates the duration of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event, in seconds. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. If a specific resource takes a significantly longer time to load compared to others, it may affect the overall loading speed of your web application. Note that a page can be perceived as loaded even though some of the resources are being loaded in the background. For hard navigation measurements, we use "Navigation Timings API", which reports page load times for the main document. This is why, for some hard navigations, you can see an overall page load time reported to be shorter than the "longest resource load time". This metric is collected through the "Performance Resource Timing" API.

longest_resource_size

bytes

Size of the longest resource: The size of the longest resource. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.

longest_resource_type

string

Type of the longest resource: The type of the longest resource, e.g: 'stylesheet', 'script', 'image'. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: 'Longest resource' refers to the resource that experienced the lengthiest loading time among all the necessary elements for rendering a web page. This metric is collected through 'Performance Resource Timing' API.

longest_resource_url

string

URL of the longest resource: It indicates the URL of the longest resource (such as images, scripts, stylesheets, or other files) during a navigation event. Requirements: Applications needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: Note that resource URLs are sanitised using the sanitisation rules described in the online documentation . This metric is collected through 'Performance Resource Timing' API.

number_of_active_tabs

long

Number of active tabs: It indicates the number of open and active tabs of a browser. Users may experience web application slowness if this value is too large. This measurement is collected for every navigation and transaction event. Note that browsers offload or deactivate certain tabs over time to save memory. This metric presents the active tabs on a browser that are not offloaded or deactivated. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

number_of_large_resources

integer

Number of large resources: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that are larger than 100KB, during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: When a browser needs to download and render large resources, it can lead to increased latency and slower page load times. By analyzing the number of large resources, you can identify files that may be optimized or compressed to reduce their size. This metric is collected through "Performance Resource Timing" API.

number_of_page_views

integer

Number of page views: The number of page views that took place within the time bucket. Requirements: The applications need to be defined through the application configuration menu. The Nexthink browser extension needs to be installed on the browser.

number_of_resource_errors

integer

Number of resource errors: It indicates the number of resources (such as images, scripts, stylesheets, or other files) that failed to load or encountered errors during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: Resource errors can indicate that some files or assets are missing from the web application. This may result in broken links, missing images, or non-functional scripts. This metric is collected through the "Performance Resource Timing" API.

number_of_resources

integer

Number of resources: It indicates the total number of resources (such as images, scripts, stylesheets, or other files) loaded during a navigation event. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The more resources a web page has, the longer it may take to load and render in the browser. By analyzing the number of resources, you can identify opportunities to optimize the performance of your web application. For example, you might consider minimizing or combining CSS and JavaScript files, compressing images, or using caching techniques to reduce the number of requests made to the server. This metric is collected through the "Performance Resource Timing" API.

page_load_time.backend

duration

Backend time: The estimated time spent on the backend side during a navigation. The backend time is affected by various factors such as database queries, API calls, and processing time. A long backend time can indicate poor application design, inefficient database queries or server overload. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: More info from the documentation

page_load_time.client

duration

Client time: The time taken by the client-side application, running on the device, to respond. It represents the portion of the total page load time that is not spent on network and backend, for example 'Client time' is 'Total page load time' minus 'Backend time' and 'Network time'. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long client time can indicate issues such as slow rendering of page elements, excessive JavaScript processing, inefficient CSS styling or device/OS processing other tasks. More info from the documentation

page_load_time.network

duration

Network time: The time it takes for a web request to travel over the network from client device to the server and for the server response to travel back. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: A long network time can indicate issues such as network congestion, poor server performance, or geographical distance between the server and the client. It is important to note that the network time can also be impacted by the size and complexity of the web page being loaded, as well as the geographical location of the server and the client device. More info from the documentation

page_load_time.overall

duration

Page load time: It indicates the time taken by a page to load. Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser.

response_size

bytes

Response size: The size of the HTTP response.

start_time

datetime

Bucket start: The date and time of the bucket start.

url

string

URL: The navigation URL recorded when the page view event took place.

page_views_summary

Table collecting page views of defined business-critical services up to 90d

page_views_summary are sampled events.

page_views_summary are associated to application, page

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the navigation occurred. Possible values are:

WiFi
Ethernet
Bluetooth

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

detailed_page_load_time.connect

duration

detailed_page_load_time.dom_content_loading

duration

detailed_page_load_time.dom_processing

duration

detailed_page_load_time.domain_lookup

duration

detailed_page_load_time.load_event

duration

detailed_page_load_time.redirect

duration

detailed_page_load_time.request

duration

detailed_page_load_time.response

duration

detailed_page_load_time.secure_connection

duration

detailed_page_load_time.unload_event

duration

domains_contacted

integer

end_time

datetime

Bucket end: The date and time of the bucket end.

experience_level

enumeration

Experience level: The user experience level of a navigation evaluated by the extension, based on the defined thresholds. Possible values are:

good
average
frustrating

is_soft_navigation

bool

largest_resource_load_time

duration

largest_resource_size

bytes

largest_resource_type

string

largest_resource_url

string

longest_resource_load_time

duration

longest_resource_size

bytes

longest_resource_type

string

longest_resource_url

string

number_of_active_tabs

long

number_of_large_resources

integer

number_of_page_views

integer

number_of_resource_errors

integer

number_of_resources

integer

page_load_time.backend

duration

page_load_time.client

duration

page_load_time.network

duration

page_load_time.overall

duration

response_size

bytes

Response size: The size of the HTTP response.

start_time

datetime

Bucket start: The date and time of the bucket start.

transactions

The table collecting transactions of defined business-critical services.

transactions are sampled events.

transactions are associated to binary, device, user, application, transaction

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the transaction occurred. Possible values are:

WiFi
Ethernet
Bluetooth

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Transaction duration: The time it took for the transaction to complete.

end_time

datetime

Bucket end: The end time of the bucket.

experience_level

enumeration

Experience level: The user experience level of a transaction evaluated by the extension, based on the defined thresholds. Possible values are:

good
average
frustrating

Requirements: The applications need to be defined through the Applications configuration menu. The Nexthink browser extension needs to be installed on the browser. Details: The thresholds are configured for each application through the Applications configuration menu.

number_of_transactions

integer

Number of transactions: The number of transactions that took place within the time bucket.

start_time

datetime

Bucket start: The start time of the bucket.

status

enumeration

Status: The transaction status. Possible values are:

completed
time_out
aborted_unload
aborted_new
aborted_input

Requirements: Applications and transactions needs to be defined through the Applications configuration menu. Nexthink browser extension needs to be installed on the browser. Details: The 'time_out' status is received when the end trigger was not received within 10 minutes. The 'aborted_unload' status is received when navigation to a new web application on the same tab takes place, or the tab was closed before the transaction was completed. The 'aborted_new' status is received when the transaction was aborted by the same, or another, transaction, i.e. when the detection restarts. The 'aborted_input' status is received when the detection was aborted by a user interaction.

transactions_summary

The table collecting transactions of defined business-critical services up to 90d

transactions_summary are sampled events.

transactions_summary are associated to application, transaction

Field

Type

Description

Supported platforms

adapter_type

enumeration

Adapter type: The type of adapter used when the transaction occurred. Possible values are:

WiFi
Ethernet
Bluetooth

bucket_duration

duration

Bucket duration: The duration of the bucket.

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration

Transaction duration: The time it took for the transaction to complete.

end_time

datetime

Bucket end: The end time of the bucket.

experience_level

enumeration

Experience level: The user experience level of a transaction evaluated by the extension, based on the defined thresholds. Possible values are:

good
average
frustrating

number_of_transactions

integer

Number of transactions: The number of transactions that took place within the time bucket.

start_time

datetime

Bucket start: The start time of the bucket.

status

enumeration

Status: The transaction status. Possible values are:

completed
time_out
aborted_unload
aborted_new
aborted_input

Namespace workflow

The workflows namespace consists of tables giving details about workflows, including configuration data and executions of workflows. Workflows are a dynamic and logical collection of Nexthink and 3rd party actions combined to deliver a multi-faceted solution.

workflows

workflow

Field

Type

Description

Supported platforms

name

string

Name: The name of the workflow. Details: User defined friendly name created through the workflow configuration page. The name of the workflow can be changed after the creation and should not be considered as a unique identifier.

nql_id

string

Workflow NQL ID: The unique identifier of a workflow. Details: The NQL ID cannot be changed after the initial creation.

executions

execution

executions are punctual events.

executions are associated to device, user, workflow

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

duration_seconds

duration

Execution Duration: The time taken for the workflow execution to complete. Details: The execution duration is a measure of the time between the workflow execution start and end states.

execution_id

uuid

Execution ID: The unique identifier of the workflow execution. Details: The execution ID is used to identify a single workflow execution and is generated when a workflow is started.

external_reference

string

External reference: An identifier of the external web application record in reference to which the workflow was executed. Details: The field could contain the values such as the ticket identifier of the ITSM ticket.

external_source

string

External source: Name of the external system, outside of Nexthink, from where the workflow was triggered. Details: External source contains the name of the external system which either used Nexthink product or directly the API to trigger the workflow.

inputs

string

Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs provided for the workflow execution at the point it was triggered. These inputs are used by the workflow to influence both the outcomes of actions within the flow and the logical path which the workflow takes.

internal_source

string

Internal source: Displays the name of the feature from which the workflow was triggered. Possible values: Amplify, Remote Action, Workflow, Investigation, Device view, or blank for no value.

number_of_executions

long

Number of executions: The number of times this workflow execution attempted to run.

outcome

enumeration

Outcome: The resulting outcome of finishing a workflow Details: Possible values:

unspecified
action_taken
no_action_taken
failed
other

outcome_details

string

Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow

request_id

uuid

Request ID: The unique identifier of the request that created this workflow execution. Details: The request ID is generated and linked to individual workflow executions when a workflow is triggered against one or multiple targets. This field can be used as a method of grouping workflow executions together against the request to run them.

request_time

datetime

Request time: The date and time that the workflow execution was triggered.

status

enumeration

Status: The status of the execution. Possible values are:

failure
success
in_progress
cancelled

Details: The status can be used to monitor whether a workflow execution has finished or not. Possible values:

in_progress
success
failed canceled

status_details

string

Status details: The latest message returned by the workflow execution. Details: The status details field is usually only populated when the workflow execution has encountered a problem. The field contains a description of why the workflow execution has not completed successfully.

time

datetime

Last updated: It represents the date and time the workflow execution was last updated.

trigger_method

enumeration

Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:

manual
null
scheduler
api
event

workflow_version

integer

Workflow version: The version of the workflow used for this execution. Details: The workflow version field helps to identify which version of the workflow design is being followed for this specific workflow execution.

executions_summary

execution_summary

executions_summary are sampled events.

executions_summary are associated to workflow

Field

Type

Description

Supported platforms

context.location.country

string

Country location: The country in which the device is located at the time of the event.

context.location.site

string

Site: The site of location indicates the devices rule based site at the time of the event.

context.location.state

string

State location: The state in which the device is located at the time of the event.

context.location.type

string

Location type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity to which the device belongs.

inputs

string

Inputs: A list of inputs provided for the workflow execution. Details: The list of inputs are those were provided for the workflow execution by the user, via a schedule or from a call to the Nexthink Infinity API. These inputs are used by the workflow to influence both the outcomes of actions within the flow and the logical path which the workflow takes.

number_of_executions

long

Number of executions: The number of times this workflow execution attempted to run.

outcome

enumeration

Outcome: The resulting outcome of finishing a workflow Details: Possible values:

unspecified
action_taken
no_action_taken
failed
other

outcome_details

string

Outcome details: The reason why the outcome of a workflow was reached Details: The details of why an outcome has been reached after finishing a workflow

status

enumeration

Status: The overall status of the workflow execution. Details: The status can be used to monitor whether a workflow execution has finished or not. Possible values:

in_progress
success
failed
canceled

time

datetime

Time: The date and time the workflow execution was last updated.

trigger_method

enumeration

Trigger method: The trigger that was used to start the workflow execution. Details: Possible values:

manual
null
scheduler
api
event