Investigations NQL examples

This list of query examples is designed to help you perform successful investigations in the Nexthink web interface. Go through the investigations listed below and pick the one most similar to the investigation you’re trying to complete. Copy the query and adjust it to your use case.

Query device tables

Get total incoming traffic for outlook.exe in the past 7d for all devices.

devices
| include execution.events during past 7d
| where binary.name == "outlook.exe"
| compute total_incoming_traffic = incoming_traffic.sum()
| list device.name, device.entity, total_incoming_traffic

Find out if there have been frequent system crashes in the past hour, for example, if >2% devices had a crash in last 24h.

devices during past 24h
| include device_performance.system_crashes
| compute system_crash_count= number_of_system_crashes.sum(), crashing_devices= device.count()
| summarize ratio_of_devices_crashing= crashing_devices.sum() * 100 / count() , total_system_crashes= system_crash_count.sum()

List all devices that need a memory upgrade.

devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| list device.name, device.entity, device.hardware.model, device.hardware.type, device.operating_system.name, device.hardware.memory, used_memory_, used_memory_percentage

Count the number of devices that need a memory upgrade and do a breakdown of devices by hardware manufacturer.

devices during past 7d
| include device_performance.events during past 7d
| compute used_memory_ = event.used_memory.avg(), used_memory_percentage= event.used_memory.avg()*100/device.hardware.memory.avg()
| where used_memory_percentage> 75
| summarize c1 = count() by hardware.manufacturer

List devices with low disk space.

devices
| with device_performance.events during past 124h
| compute free_space_on_system_drive = system_drive_free_space.avg()
| where free_space_on_system_drive < 2000MB

Retrieve devices. List all devices with the Nexthink Collector package installed.

devices
| with package.installed_packages
| where package.name == "Nexthink Collector"

Retrieve devices. List all devices without the Nexthink Collector package installed.

devices
| include package.installed_packages
| where package.name == "Nexthink Collector"
| compute number_of_package_installed = count()
| where number_of_package_installed == 0

Query other tables

Retrieve installation events. List all uninstallation of a specific package across all devices.

package.uninstallations
| where package.name == "Nexthink Collector"
| list time, device.name, package.name, package.version

Retrieve packages. List all packages starting with the ones installed on most devices.

package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| sort number_of_packages_installed desc

Retrieve packages. List all packages starting with the ones installed on fewest devices.

package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| sort number_of_packages_installed asc

Retrieve packages. List packages installed on fewer than 5 devices but installed on at least one device.

package.installed_packages
| summarize number_of_packages_installed = count() by package.name
| where number_of_packages_installed > 0 and number_of_packages_installed < 5

List the number of system crashes grouped by error label for the crash.

device_performance.system_crashes during past 7d
| summarize number_of_crashes = number_of_system_crashes.sum() by label
| sort number_of_crashes desc

Count the number of active devices over time, i.e. during past 7 days.

device_performance.events during past 7d
| summarize nb_devices = device.count() by 1d
| sort start_time asc

Get the history (14d) of number of devices with low disk space.

device_performance.events during past 14d
| where system_drive_free_space.avg <= 1000MB
| summarize devices_with_low_disk_space = device.count() by 1d

Get crashes statistics per binary.

execution.crashes during past 7d
| summarize crashes = count(), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by binary.name, binary.product_name, binary.platform
| sort devices_with_crashes desc

Get crashes statistics for selected binary on the timeline.

execution.crashes during past 7d
|where binary.name = "zscaler"
| summarize crashes = count(), devices_with_crashes = device.count(), versions_with_crashes = binary.version.count() by 1d

Compute the average usage time of an application per user per day by departments.

web.events during past 7d
| where application.name == "Salesforce Lightning"
| summarize average_department_usage_time_per_user = duration.sum()/ user.name.count() by ad.department
| sort average_department_usage_time_per_user desc

Count campaign responses by campaign and by state to understand campaign progress.

campaign.responses
| where campaign.name != null
| summarize number_of_responses = count() by campaign.name, state, state_details
| sort campaign.name asc

Retrieve binaries from the past 7 days. Summarize them by category and subcategory.

binaries during past 7d
| where product_category != null
| summarize nr_binaries = count() by product_category, product_subcategory
| sort product_category asc

Retrieve binaries from the past 7 days. Summarize them according to the Accessibility category and the Vision Accessibility subcategory.

binary.binaries during past 7d
| where binary.product_category != null
| where (binary.product_category == "Accessibility" and binary.product_subcategory == "Vision Accessibility")
| list binary.name, binary.product_name, binary.version, binary.product_category, binary.product_subcategory

Retrieve users from the past 7 days. List them according to usage time equal or over 30 minutes for binaries under the Development Tools category and the Code Editors and IDEs subcategory.

users during past 7d
| include execution.events during past 7d
| where binary.product_category == "Development Tools" and binary.product_subcategory == "Code Editors and IDEs"
| compute usage_time = execution.event.focus_time.sum()
| where usage_time >= 30min

Last updated 1 year ago

Was this helpful?

hashtagQuery device tables

hashtagQuery other tables

Query device tables

Query other tables