NXQL Data Model
Objects
application
An application is a sets of executables e.g. 'Microsoft Office'. Platforms:
binary
A binary is an executable binary files identified by its hash code. Platforms:
destination
A destination is a device or server receiving TCP/UDP connections. Platforms:
device
A device is Windows physical or virtual machine monitored by a Nexthink Collector. Platforms:
domain
A domain is a domain name e.g. www.nexthink.com. Platforms:
executable
An application is a executable programs e.g. 'winword.exe'. Platforms:
package
A package is a software packages (programs or updates). Platforms:
port
A port is a TCP or UDP connection ports. Platforms:
printer
A printer is an installed printers (local, network, shared or virtual). Platforms:
service
A service represents an IT service in your organization, such as the mail service or the directory service. Services are either based on TCP connections (for Windows and Mac devices) or on web requests (for Windows devices only). Platforms:
url_path
A url_path is a URL path after the domain name e.g. [www.nexthink.com]/awards/. Platforms:
user
A user is an object that represents an individual account in a device (local user) or in a group of devices (domain user). The account may identify a physical user or a system user. Platforms:
Events
connection
A connection is a TCP connection or a UDP packet. Several identical TCP connections or UDP packets are merged when in close succession.
Platforms:
device_activity
A device_activity is a device activity (boot or activity).
Platforms:
device_error
A device_error is a critical system errors (system crash, hard reset, or disk error).
Platforms:
device_performance
A device_performance reports the average IOPS, CPU and memory of a device during one hours.
Platforms:
device_warning
A device_warning is a peak in device resource usage (CPU, memory or I/O).
Platforms:
execution
An execution is a process executing on a device. Serveral executions of the same process are merged when in close succession.
Platforms:
execution_error
An execution_error is application errors (crash or not responding)
Platforms:
execution_warning
An execution_warning is a peak in application resource usage (CPU or memory).
Platforms:
installation
A installation is the installation or uninstallation of a Software packages (programs or updates).
Platforms:
network_scan
A network scan is a sequence of failed TCP connections or UDP packets made to the same port to more than 50 destinations within a few seconds.
Platforms:
port_scan
A port scan is a sequence of failed TCP connections or UDP packets made to the same destination to more than 50 ports within a few seconds.
Platforms:
printout
A printout is a print job processed by a printer.
Platforms:
session_performance
Sessions of a user logged on a device.
Platforms:
user_activity
A user_activity is a user activity (logon or interactive activity).
Platforms:
web_request
A web_request is a HTTP or TLS requests.
Platforms:
Relationships
A relationships is a link between object and event tables and is specified in a with clause.
connection
device
user
binary
executable
application
destination
port
service
device_activity
device
device_error
device
device_performance
device
device_warning
device
execution
device
user
binary
executable
application
execution_error
device
user
binary
executable
application
execution_warning
device
user
binary
executable
application
installation
device
package
network_scan
device
user
binary
executable
application
port
port_scan
device
user
binary
executable
application
destination
printout
device
user
printer
session_performance
device
user
user_activity
device
user
web_request
device
user
binary
executable
application
destination
port
domain
url_path
service
package
device
package
Aggregates
connection
device_activity
device_error
device_performance
device_warning
execution
execution_error
execution_warning
installation
network_scan
package
port_scan
printout
session_performance
user_activity
web_request
Definitions
The following document lists all objects, fields and aggregates available through NXQL. Each field and aggregate have a name, a type, properties and a description.
Platforms can have the following values:
W: The field, aggregate or table is available on the Windows platform.
X: The field, aggregate or table is available on the Mac OS platform.
M: The field, aggregate or table is available on the Mobile platform.
Properties can have the following values:
DE: The field or aggregate is deprecated.
PB: The field or aggregate is in Public Beta.
FP: The field or aggregate can be used without a between clause.
NU: The field or aggregate can be nil.
SE: The field or aggregate is only available with a license containing the security feature.
WE: The field or aggregate is only available with a license containing the web monitoring feature.
NC: The field is not comparable.
Last updated