Search in Finder

Overview

The Finder divides the results of a search in the Start page into two columns:

  1. The left-hand side column, entitled Investigations, shows both existing investigations that match the search terms and automatically generated investigations that the system infers from the search terms and are suggested to the user. Because of the automatic inference, this part is also known as the smart search. The display of results is as follows:

    • An icon that indicates the type of object or activity on which the investigation is based.

    • A label Suggested, if the investigation was automatically generated.

    • The name of the investigation.

    • The time frame that restrains the results to a particular interval of time.

  2. The right-hand side column shows search results based on the name of objects (i.e. Devices, Executables, etc), Services, Metrics, Scores, Remote actions, and Categories.

Applies to platforms | Windows | macOS | Mobile |

Suggested investigations

The Finder will use the typed words to suggest investigations. It will lookup if the words match:

  • An object type (e.g. device) or an activity type (e.g. connection)

  • The name of a platform if you want to filter the results depending on the kind of devices (e.g. windows).

  • A keyword (e.g. crash, performance).

  • A condition on an object type.

  • Names of objects.

  • Names of services.

  • Names of entities.

  • The name of a category (e.g. NXT - Server type) or one of its keywords (e.g. Proxy).

  • A timeframe

In order to iteratively reduce the scope of the search, we recommend that you type the words following the previous order. After the first typed word, the Finder will provide you with search results that you can refine when typing more words. But this is not mandatory, as the Finder does not take words order into account.

When the Cross-Engine search features are enabled in the Finder, the suggested investigations additionally look for words matching the following items in all Engines, subject to the domain view of the Finder user:

  • All users and devices.

  • Domains seen in the last 5 days.

  • Any other object seen in the last 7 days.

Objects, activities and platforms

Find below the list of objects and activities that you can use:

ObjectsActivitiesPlatforms
  • users

  • devices

  • packages

  • applications

  • executables

  • binaries

  • ports

  • destinations

  • domains

  • printers

  • installations

  • executions

  • connections

  • web requests

  • print jobs

  • system boots

  • user logons

  • windows

  • mac

  • mobile

For example, search for packages.

SearchFinder suggestions

packages

All packages - full period

When the Cross-Engine search features are enabled in the Finder, the search tool looks for objects across all Engines and for all other shared items such as metrics, categories, services or remote actions. Displayed users and devices are limited to the domain view of the user that launched the search; while other objects and items may be outside the domain view of the user. In the latter case, the user cannot investigate further the details of the object.

Keywords

As an example, you can look for errors and warnings in devices or applications using keywords. For instance, type errors in the Search box to get a list of any kind of error. You get the same results if you use synonyms of error such as issue, problem or failure.

If you want to be more specific in the kind of errors that you want to know about, you can use any of the following (or a valid synonym):

  • system crash

  • application crash

  • application freeze (not responding)

  • high cpu

  • high memory

For example, to look for application crashes, just type in application crash:

SearchFinder suggestions

application crash

Application crashes - today

A condition on an object type

For example, you can type the name of an existing user and the Finder will show you suggested investigations that use the condition on the user name.

SearchFinder suggestions

user UserName

Devices used by user UserName - full period

Names of objects

Type in names of objects in your queries to look for a concrete instance of an object. As a Finder user, you may need to have the right privilege level to see the names of some objects (see step 3 of defining the profile of a user). Otherwise, they appear as anonymized in the search tool and you will be unable to search them by name.

As an example, type in the name of a device or a user in the Search box. You do not need to type in a full name. The Search fills the list of suggestions with investigations related to the objects with that name inside their properties. The Finder highlights the name in the list of results.

If the Finder detects that many objects match the name, it may infer that the word that you typed in is in fact a fragment of the actual name. In this case, the suggested investigations relate to groups of objects whose properties match the fragment. This is indicated by displaying the asterisk * wild card surrounding the name.

When you type names in the Search box, you can get a mix of suggested investigations that either match one object exactly or match a group of objects. For each investigation, the Finder may interpret the word as a full name or as a fragment. For example:

SearchFinder sugg

nxtc

Application matching nxtcfg.exe - full period

Applications used to access domain *nxtc*

Names of services

Similarly to names of objects, look for names of services in the Search box to get investigations related to a particular service. For instance, if you have a service called Mail Service, start typing mail and you will get the following results (among others):

SearchFinder suggestions

mail

Applications used for Mail Service - today

Devices using Mail Service - today ...

Names of entities

If you have defined a set of entities for building up your hierarchies, type in the names of your entities in the Search box for the Finder to suggest investigations related to objects in those entities.

Suggested investigations based on categories

Use the names of categories to refine suggested investigations. For instance, given a category RAM that classifies devices according to the quantity of memory installed, the result of looking for devices with that category is the following:

SearchFinder suggestion

device RAM

Devices with RAM - full period

Where the name of the category is highlighted in the list of results and preceded by the label icon that identifies it as a category (not shown in the table).

Instead of the name of a category, you can directly use the name of the keywords of the category. For instance, let us assume that the keywords of the category RAM are:

  • 2GB

  • 3GB

  • 4GB

You can directly look for devices using one of these keywords, or even combine several keywords, by typing:

SearchFinder suggestion

device 2GB

Devices with RAM set to 2GB - full period

device 3GB 4GB

Devices with RAM set to 3GB or 4GB - full period

Alternatively, you can directly use the name of a category without specifying the type of object and optionally combine it with one of its keywords. In this case, the Finder deduces the type of object to which the category applies:

SearchFinder suggestion

RAM 1GB

Devices with RAM set to 1GB - full period

Timeframe control

Limit the suggestions of the Finder to a particular time interval by specifying a timeframe. Find below the words that you can use to define a timeframe for the suggested investigations:

  • Full period: The full time interval stored in the database of the Engine.

  • Today: The current day (from 0 hours to the current time).

  • Yesterday: The full day before today.

  • Last hour: The last 60 minutes (including the current minute)

  • Last week: The last seven days (including today).

Platform control for suggestions

If you use one of the platform names in your search, suggestions are adapted to match the available information for that platform. For instance, if you use the keyword mobile within a search for devices, the Finder suggests investigations about the access state, access rules and security policy of mobile devices.

Note that platform control in the smart search is only activated if devices of platforms other than Windows are detected inside your installation. If you only have Windows devices, the platform keywords (windows, mac os and mobile) are not recognized as such, but just as normal terms of your search.

Synonyms

To make its use more natural, the Search tool of the Finder has the ability to recognize the singular and plural forms of these words as well as some of their synonyms. In many cases you can use your own words to look for information in the Finder and still get the expected results. For instance, instead of looking for devices, you can search computers, PCs or workstations.

Once you get used to Nexthink terminology, however, you may find more practical, accurate or even easier to stick to the official terms to designate objects or activities.

Using quotes

When searching, you can use quotes to:

  • Force the search on words with less than two letters. Normally, words with less than two letters are ignored by the Finder.

  • Force the search to ignore spaces between words and consider the words together. For example, you can search for application with name that contains spaces. Let's say you search for name of my application (i.e. a name with spaces):

SearchFinder suggestion

Application "name of my application"

Application matching name of my application- full period

  • Avoid name clashes with reserved words. The quotes instruct the Finder that the content inside is the value of an object name and not the name of a type of an object or activity. For instance, you get different results when you type the word user in the Search box with quotes and without quotes:

SearchFinder first suggestion

user

User logons - today

"user"

Devices with package user - full period

User's investigation

The Finder will search if the user's investigation contains all the words and if one of the words is the name of an object or an activity type. If this is the case, we will also check if a word matches the object of the conditions.

For example, let's say that the user have a saved investigation named InvestigationABC based on devices:

SearchFinder suggestion

device InvestigationABC

InvestigationABC

Time frame control

By default, the original timeframe is used. But it can be modified, using the "timeframe control" described for suggested investigations. It will apply if the underlying investigation is compatible with it.

SearchFinder suggestion

device InvestigationABC today

InvestigationABC - today

Platform control for investigations

Using platform keywords in the search makes the Finder suggest only those user investigations that are suitable for all the enumerated platforms.

Using synonyms and quotes

The use of "synonyms" and "quote" described above for suggested investigations is the same for user's investigations.

Show in investigations list

If you want to modify the user's investigation, you can do a right-click and select the option "show in investigations list". Then you can modify the original investigation with a right-click and selecting "edit".

Objects search

Up to now, we have discussed the results that the Search tool displays in the left column of the Start page under the title Investigations. This section covers the results of the Search tool that are displayed in the right column of the Start page.

The main use of the right column is to look for a single existing object in the database when you know its name, or at least part of it. In this case, the Finder does not have to deduce anything. It just performs a pure search by matching the terms that you type in with the names of objects or investigations in the database. Results are organized by type of object.

Using quotes will work in the same way as on the left panel. To increase the number of results, you can use wildcards:

*

To substitute for zero or more characters

?

To substitute for zero or one character

The Finder runs the right and left panel search in parallel, so you do not have to choose between either one of them. Using wildcards, however, is not yet supported by the investigation search, which is likely to show no suggestions at all if you type in an asterisk or a question mark in your search.


RELATED TASK

RELATED CONCEPTS

Last updated