NXQL Data Model

Objects

application

An application is a sets of executables e.g. 'Microsoft Office'. Platforms:

binary

A binary is an executable binary files identified by its hash code. Platforms:

destination

A destination is a device or server receiving TCP/UDP connections. Platforms:

device

A device is Windows physical or virtual machine monitored by a Nexthink Collector. Platforms:

domain

A domain is a domain name e.g. www.nexthink.com. Platforms:

executable

An application is a executable programs e.g. 'winword.exe'. Platforms:

package

A package is a software packages (programs or updates). Platforms:

port

A port is a TCP or UDP connection ports. Platforms:

printer

A printer is an installed printers (local, network, shared or virtual). Platforms:

service

A service represents an IT service in your organization, such as the mail service or the directory service. Services are either based on TCP connections (for Windows and Mac devices) or on web requests (for Windows devices only). Platforms:

url_path

A url_path is a URL path after the domain name e.g. [www.nexthink.com]/awards/. Platforms:

user

A user is an object that represents an individual account in a device (local user) or in a group of devices (domain user). The account may identify a physical user or a system user. Platforms:

Events

connection

A connection is a TCP connection or a UDP packet. Several identical TCP connections or UDP packets are merged when in close succession.

Platforms:

device_activity

A device_activity is a device activity (boot or activity).

Platforms:

device_error

A device_error is a critical system errors (system crash, hard reset, or disk error).

Platforms:

device_performance

A device_performance reports the average IOPS, CPU and memory of a device during one hours.

Platforms:

device_warning

A device_warning is a peak in device resource usage (CPU, memory or I/O).

Platforms:

execution

An execution is a process executing on a device. Serveral executions of the same process are merged when in close succession.

Platforms:

execution_error

An execution_error is application errors (crash or not responding)

Platforms:

execution_warning

An execution_warning is a peak in application resource usage (CPU or memory).

Platforms:

installation

A installation is the installation or uninstallation of a Software packages (programs or updates).

Platforms:

network_scan

A network scan is a sequence of failed TCP connections or UDP packets made to the same port to more than 50 destinations within a few seconds.

Platforms:

port_scan

A port scan is a sequence of failed TCP connections or UDP packets made to the same destination to more than 50 ports within a few seconds.

Platforms:

printout

A printout is a print job processed by a printer.

Platforms:

session_performance

Sessions of a user logged on a device.

Platforms:

user_activity

A user_activity is a user activity (logon or interactive activity).

Platforms:

web_request

A web_request is a HTTP or TLS requests.

Platforms:

Relationships

A relationships is a link between object and event tables and is specified in a with clause.

connection

  • device

  • user

  • binary

  • executable

  • application

  • destination

  • port

  • service

device_activity

  • device

device_error

  • device

device_performance

  • device

device_warning

  • device

execution

  • device

  • user

  • binary

  • executable

  • application

execution_error

  • device

  • user

  • binary

  • executable

  • application

execution_warning

  • device

  • user

  • binary

  • executable

  • application

installation

  • device

  • package

network_scan

  • device

  • user

  • binary

  • executable

  • application

  • port

port_scan

  • device

  • user

  • binary

  • executable

  • application

  • destination

printout

  • device

  • user

  • printer

session_performance

  • device

  • user

user_activity

  • device

  • user

web_request

  • device

  • user

  • binary

  • executable

  • application

  • destination

  • port

  • domain

  • url_path

  • service

package

  • device

  • package

Aggregates

connection

device_activity

device_error

device_performance

device_warning

execution

execution_error

execution_warning

installation

network_scan

package

port_scan

printout

session_performance

user_activity

web_request

Definitions

The following document lists all objects, fields and aggregates available through NXQL. Each field and aggregate have a name, a type, properties and a description.

Platforms can have the following values:

  • W: The field, aggregate or table is available on the Windows platform.

  • X: The field, aggregate or table is available on the Mac OS platform.

  • M: The field, aggregate or table is available on the Mobile platform.

Properties can have the following values:

  • DE: The field or aggregate is deprecated.

  • PB: The field or aggregate is in Public Beta.

  • FP: The field or aggregate can be used without a between clause.

  • NU: The field or aggregate can be nil.

  • SE: The field or aggregate is only available with a license containing the security feature.

  • WE: The field or aggregate is only available with a license containing the web monitoring feature.

  • NC: The field is not comparable.

Last updated