Search with Finder (classic)
Overview
Finder divides the results of a search on the Start page into two columns:
The left-hand column, entitled Investigations, shows both existing investigations that match the search terms and automatically generated investigations that the system infers from the search terms and are suggested to the user. Because of the automatic inference, this part is also known as the smart search. The display of results is as follows:
An icon that indicates the type of object or activity on which the investigation is based
A label Suggested, if the investigation was automatically generated
The name of the investigation
The timeframe that restrains the results to a particular interval of time
The right-hand column shows search results based on the name of objects (for example, Devices or Executables), Services, Metrics, Scores, Remote actions, and Categories.
Suggested investigations
Finder will use the typed words to suggest investigations. It will lookup if the words match:
An object type (for example, device) or an activity type (for example, connection)
The name of a platform if you want to filter the results based on the type of devices (for example, windows)
A keyword (for example, crash, performance)
A condition on an object type
Names of objects
Names of services
Names of entities
The name of a category (for example, NXT - Server type) or one of its keywords (for example, Proxy)
A timeframe
In order to iteratively reduce the scope of the search, we recommend that you type the words following the previous order. After the first typed word, Finder will provide you with search results that you can refine as you type more words. This is not mandatory, as Finder does not take word order into account.
When the Cross-Engine search features are enabled in Finder, the suggested investigations additionally look for words matching the following items in all Engines, subject to the domain view of the Finder user:
All users and devices
Domains seen in the last 5 days
Any other object seen in the last 7 days
Objects, activities and platforms
Below is a list of objects and activities that you can use.
users
devices
packages
applications
executables
binaries
ports
destinations
domains
installations
executions
connections
web requests
system boots
user logons
windows
mac
mobile
For example, search for packages:
packages
All packages - full period
When the Cross-Engine search features are enabled in Finder, the search tool looks for objects across all Engines and for all other shared items such as metrics, categories, services or remote actions. Displayed users and devices are limited to the domain view of the user that launched the search; while other objects and items may be outside the domain view of the user. In the latter case, the user cannot further investigate the details of the object.
Keywords
It is possible to look for errors and warnings in devices or applications using keywords. For instance, type errors in the Search box to get a list of any kind of error in the system. You will get the same results if you use the synonyms for error such as issue, problem or failure.
To find more specific types of errors, you can use any of the following (or another valid synonym):
system crash
application crash
application freeze (not responding)
high CPU
high memory
For example, to look for application crashes, just type in application crash.
application crash
Application crashes - today
A condition on an object type
You can type the name of an existing user and Finder will show you suggested investigations that use the condition on the user name.
user UserName
Devices used by user UserName - full period
Names of objects
Type in the names of objects in your queries to look for a concrete instance of an object. As a Finder user, you must have the right privilege level to see the names of some objects. Otherwise, they appear as anonymized in the search tool and you will be unable to search them by name.
For example, type in the name of a device or a user in the Search box. You do not need to type in a full name. The Search populates the list of suggestions with investigations related to the objects with that name inside their properties. Finder highlights the name in the list of results.
If Finder detects that many objects match the name, it may infer that the word that you typed in is in fact a fragment of the actual name. In this case, the suggested investigations relate to groups of objects whose properties match the fragment. This is indicated by displaying the asterisk * wild card surrounding the name.
When you type names in the Search box, you can get a mix of suggested investigations that either match one object exactly or match a group of objects. For each investigation, Finder may interpret the word as a full name or as a fragment. For example:
nxtc
Application matching nxtcfg.exe - full period
Applications used to access domain *nxtc*
Names of services
Similarly to names of objects, look for names of services in the Search box to get investigations related to a particular service. For instance, if you have a service called Mail Service, start typing mail and you will get the following results (among others):
Applications used for Mail Service - today
Devices using Mail Service - today ...
Names of entities
If you have defined a set of entities to build up your hierarchies, type in the names of your entities in the Search box for Finder to suggest investigations related to objects in those entities.
Suggested investigations based on categories
Use the names of categories to refine suggested investigations. For instance, given a category RAM that classifies devices according to the quantity of memory installed, the result of looking for devices with that category is the following:
device RAM
Devices with RAM - full period
The name of the category is highlighted in the list of results and preceded by the label icon that identifies it as a category (not shown in the table).
Instead of the name of a category, you can directly use the name of the keywords of the category. For instance, let us assume that the keywords of the category RAM are:
2GB
3GB
4GB
You can directly look for devices using one of these keywords, or even combine several keywords, by typing:
device 2GB
Devices with RAM set to 2GB - full period
device 3GB 4GB
Devices with RAM set to 3GB or 4GB - full period
Alternatively, you can directly use the name of a category without specifying the type of object and optionally combine it with one of its keywords. In this case, Finder deduces the type of object to which the category applies:
RAM 1GB
Devices with RAM set to 1GB - full period
Timeframe control
Limit the suggestions of Finder to a particular time interval by specifying a timeframe. Below is a list of words that you can use to define a timeframe for the suggested investigations:
Full period: The full time interval stored in the database of the Engine
Today: The current day (from 0 hours to the current time)
Yesterday: The full day before today
Last hour: The last 60 minutes (including the current minute)
Last week: The last seven days (including today)
Platform control for suggestions
If you use one of the platform names in your search, suggestions are adapted to match the available information for that platform.
Note that platform control in the smart search is only activated if devices of platforms other than Windows are detected inside your installation. If you only have Windows devices, the platform keywords (windows, mac os and mobile) are not recognized as such, and instead are considered normal terms of your search.
Synonyms
To make its use more natural, the Search tool of Finder has the ability to recognize the singular and plural forms of these words as well as some of their synonyms. In many cases, you can use your own words to look for information in Finder and still get the expected results. For instance, instead of looking for devices, you can search computers, PCs or workstations.
Once you get used to Nexthink terminology, you may find it more practical, accurate or even easier to utilize the official terms to designate objects or activities.
Using quotes
When searching, you can use quotes to:
Force the search on words with fewer than two letters. Generally, words with fewer than two letters are ignored by Finder.
Force the search to ignore spaces between words and consider the words together. For example, you can search for an application with a name that contains spaces. Let's say you search for name of my application (for example, a name with spaces):
Application "name of my application"
Application matching name of my application - full period
Avoid using reserved words. The quotes instruct Finder that the content inside is the value of an object name and not the name of a type of object or activity. For instance, you get different results when you type the word user in the Search box with quotes and without quotes:
user
User logons - today
"user"
Devices with package user - full period
User's investigation
Finder will check all the words in the user’s investigation and whether one of them matches an object or an activity type. If this is the case, the system will also check if a word matches the object of the conditions.
For example, let's say that the user has a saved investigation named InvestigationABC based on devices:
device InvestigationABC
InvestigationABC
Timeframe control
By default, the original timeframe is used. This timeframe can be modified using the "timeframe control" described for suggested investigations. It will apply if the underlying investigation is compatible with it.
device InvestigationABC today
InvestigationABC - today
Platform control for investigations
Using platform keywords in the search makes Finder suggest only those user investigations that are suitable for all the enumerated platforms.
Using synonyms and quotes
The use of "synonyms" and "quote" described above for suggested investigations is the same for user investigations.
Show in investigations list
If you want to modify the user’s investigation, you can right-click and select the option show in investigations list. Then you can modify the original investigation with a right-click and by selecting edit.
Objects search
Up to now, we have discussed the results that the Search tool displays in the left column of the Start page under the title Investigations. This section covers the results of the Search tool that are displayed in the right column of the Start page.
The main use of the right column is to look for a single existing object in the database when you know its name, or at least part of it. In this case, Finder does not have to deduce anything. It just performs a pure search by matching the terms that you type in with the names of objects or investigations in the database. Results are organized by type of object.
Using quotes will work in the same way as on the left panel. To increase the number of results, you can use wildcards:
*
To substitute for zero or more characters
?
To substitute for zero or one character
Finder runs the right and left panel search in parallel, so you do not have to choose between either one. Using wildcards, however, is not yet supported by the investigation search, which is likely to show no suggestions at all if you type in an asterisk or a question mark in your search.
Last updated