LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management
On this page
  • Overview
  • Sorting the results
  • Changing the time frame
  • Setting the platform
  • Adding and removing display fields
  • Drilling-down
  • One-click investigations
  • Exporting the results of a Cross-Engine investigation
  • Saving your modifications
  • Getting a graphical representation of the data

Was this helpful?

  1. User manual
  2. Querying the system

Navigating through the results of an investigation

Last updated 9 months ago

Was this helpful?

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy

Overview

After executing an investigation, you are presented with a list of all the items that matched your query conditions. This is the List view of the Finder.

The list displays all the fields and aggregates that you selected when you .

Cross-Engine List view

If the are enabled, click the button List (all entities) to get results from all Engines; more specifically, from all the entities that belong to the view domain of the Finder user. In consequence, if a user's domain view is limited to entities within a single Engine, the user will not get results from other Engines.

If the button List (all entities) is disabled, hover the mouse cursor over the button and wait for a tooltip to show up. The tooltip describes the first encountered reason for the incompatibility of the investigation with the Cross-Engine feature. Because of particular investigation options usually related to aggregates (e.g., conditions on aggregates or ordering of results based on aggregates), some investigations cannot be executed across multiple Engines and are thus incompatible with the List (all entities) view.

On the other hand, the List (all entities) view is still available for investigations that specify display fields which cannot be computed across multiple Engines, as long as the investigation is not invalidated for other reasons. In this case, the List (all entities) view resolves the incompatibility by not displaying the conflicting columns.

The results are ordered by the values of the first sortable column. A message in the status bar at the bottom of the window indicates whether the condition of maximum displayable results is reached. For instance, when displaying the results of an investigation based on devices that returns more than ten thousand objects, the status bar states the following:

Only the first 10 000 devices (ordered by "Name") are displayed

In turn, if any of the connected Engines does not reply to the Cross-Engine query, the Finder displays the following warning message at the top of the window:

Partial results are displayed because some Engines didn't respond. Contact your administrator if the problem persists.

Moreover, when displaying the results of an investigation based on devices, the Finder adds a special column to the List (all entities) view called Engine. The Engine column holds the name of the Engine that stores the data of the related device. A single device that reports to several Engines gets a different UID from each Engine and is therefore seen as a set of distinct objects in the list of results.

Sorting the results

Order the results in the List view according to the value of one of the displayed fields by clicking its corresponding column header. The arrow to the right of the column name indicates if the sorting is made in ascending (arrow up) or descending (arrow down) order. Click the column header again to change the direction of the arrow.

Note that ordering the results in the List view applies to the already displayed results only; that is, ordering the results by clicking on a column does not trigger a new investigation. For instance, if an investigation shows the top 10 devices with the highest TCP traffic, clicking the Name header in the List view reorders the same 10 devices according to their name. The same behavior reproduces in a List (all entities) view that reaches its configured maximum number of results: ordering the results by clicking on a column does not trigger a new Cross-Engine investigation.

Changing the time frame

To come back to the original time frame of your investigation, click the calendar icon and then push the button Reset.

If you selected a limited time frame such as a particular day, you can also navigate easily with the arrows you find in both sides of the calendar icon. Just press the arrow to the right to move to the next available day, or the arrow to the left to move to the previous day.

Setting the platform

From the List view, filter the results of an investigation according to platforms at any time:

  1. Click the platform icons at the top of the List view and a dialog to select the platforms shows up.

  2. Tick the check box for every platform that you want to include in the results.

  3. Optional: To go back to the platforms originally selected by the investigation, click Reset.

  4. Click Apply to filter the results according to the selected platforms.

Adding and removing display fields

To quickly add or remove fields displayed as columns in the List view:

  1. Right-click anywhere in the column headers (the top part with the names of the columns). A label selector shows up.

  2. Click Apply.

To quickly remove a single column, right-click the column header and select Remove column from the context menu.

Drilling-down

Drilling-down to other items from your list of result items is one of the most powerful tools that you have for navigating through the results of your investigations. Drilling-down lets you get items related to the items in the list of results while keeping the context of your investigation, that is, enforcing the time frame and the conditions of the original investigation.

A drill-down is actually a quick investigation on objects, activities, or events that are related to a selection of the results of a previous investigation. For instance, imagine that you execute an investigation on devices that looks for those devices that executed the Nexthink Finder yesterday. You get a list of devices as a result. Imagine now that you want to know the users that executed the Finder yesterday from one or several of those devices. You can get the list of those particular users by drilling-down from the results of your previous investigation. Note that drilling-down keeps the conditions and the time frame of the original investigation, that is, the execution of the Nexthink Finder yesterday.

The drill-down keeps the Cross-Engine context as well. When selecting items of a List view to drill-down, the results lie within the limits of the current Engine. On the other hand, if your selection belongs to a List (all entities) view, the results of drilling-down extend to all available Engines.

To drill-down from a list of results of an investigation:

  1. Execute the investigation of your choice.

  2. Select one or more of the items in the List or List (all entities) views.

  3. Right-click the items selected. A context menu shows up.

  4. Select the option Drill-down to and choose a type of item. Items are classified into:

    • Objects

    • Activities

    • Events

  5. Choose one class of items and then a particular type of object, activity or event. Only those types of items that can be related in some way to the items in the list of results are eligible for drilling-down.

    • If the items in the list of results are filtered by platform, the drilling-down shows only those items which are compatible with the selected platform.

    • In the case that you selected multiple platforms, the drilling-down shows all those items which are compatible with any of the selected platforms.

  6. A new tab with the list of results for the drill-down opens.

The items that you can select for drilling-down depend also on the platform of the item you drill-down from. For instance, you cannot drill-down to printers from a Mac OS device, because the Mac platform in Nexthink does not support printers.

One-click investigations

One-click investigations, or one-clicks for short, are similar to drill-down investigations, except for the fact that they do not keep the context of the previous investigation.

For instance, to go on with our previous example, imagine that you are navigating the List view of an investigation that returns all the devices that executed the Nexthink Finder yesterday, and that you want to know all the users of a particular device. Drilling-down to users returns only those users who executed the Finder yesterday on that device. On the other hand, a one-click investigation on users returns all the users who have ever been seen in the device, regardless of what they were doing or when.

One-clicks do keep the Cross-Engine context though. When executing a one-click from a List view, the results are limited to the current Engine; whereas a one-click from a List (all entities) view returns items from all available Engines.

To perform a one-click investigation from the list of results of a previous investigation:

  1. Execute the investigation of your choice.

  2. Select one or more of the items in the List or List (all entities) view.

  3. Right-click the items selected. A context menu shows up.

  4. Select the option One-click investigation and retrieve all the items of a particular class. Choose among:

    • Retrieve all objects

    • Retrieve all activities

    • Retrieve all events

    Note: for binary objects, specify first if you want to retrieve items related to the binary itself, or to the executable or the application to which the binary belongs. Similarly, for executable objects, choose first if you want to retrieve items related to the executable itself or to the application to which the executable belongs.

  5. Select a particular type of object, activity or event. Only those types of items that can be related in some way to the items in the list of results are eligible for a one-click investigation.

    • If the items in the list of results are filtered by platform, the one-click investigation shows only those items which are compatible with the selected platform.

    • In the case that you selected multiple platforms, the one-click investigation shows all those items which are compatible with any of the selected platforms.

  6. The Finder opens a new tab with the list of results for the one-click investigation.

Again, similarly to what happens with drill-downs, the items that you can select when you do a one-click investigation depend also on the platform of the one-clicked object.

Exporting the results of a Cross-Engine investigation

Cross-Engine investigations that display All results are limited to show up to a maximum of 10000 entries in the List (all entities) view by default. Although this limit is configurable, it is often impractical to deal with a large number of objects in the list view of the Finder. To overcome this limit and actually get all the possible outcomes, export the results of Cross-Engine investigations. From the List (all entities) view in the Finder:

  1. Click the menu icon at the top right corner of the view.

  2. Select Export results from the list.

The Finder opens your default web browser with the message Export in progress while the Portal generates a CSV file that gathers the results from all Engines. Once the CSV file is ready and zipped, the browser automatically initiates its download from the Portal. After the download is complete, the Portal removes its local copy of the file and the URL used for the download becomes invalid.

Saving your modifications

When you change the time frame or the displayed fields, or you drill-down, or do a one-click from the List view of an investigation, the system is actually executing a different investigation from the original one.

To save the new investigations that you create by applying modifications to the List view, click the menu icon at the top right of the view and select Save investigation... or press Ctrl+S.

Getting a graphical representation of the data

The List view gives you a plain text representation of the data stored in the Nexthink database. While this is perfect if you want to have a list with the exact values, it can be difficult for a human to get an insight of what is actually happening inside your IT infrastructure with just a textual representation.

To get a graphical representation of the results in the List view, click one of the buttons in the top-left corner of the List view:

To visualize network connections.

To visualize web requests.

To visualize local program executions.

The visualizations are computed within the context of your investigation. Therefore, not all three visualizations are present for all investigations. Visualization is available only if the context contains relevant information for it.


RELATED TASKS

The List (all entities) view displays up to a maximum of 10 000 results by default, although and you can overcome this limit by . The Network, Web, and Local activity views are not available when displaying Cross-Engine results.

By default, results are sorted according to the values of the first column in ascending order; unless otherwise specified in the investigation options, where you can look for ordered in either ascending or descending fashion. You can click on any other column header of the List view to sort the results in a different way.

The List and List (all entities) views display the time frame that applies to the given results of the investigation in the top-center part of its own tab. To change the time frame of the investigation, click the calendar icon that appears to the right of the current time frame. A dialog very similar to the of the investigation designer shows up. If Cross-Engine features are enabled, the dates available for selection are those available across all Engines within the domain view of the user, as explained in the article about the Time frame section. Otherwise, the available dates correspond to the history of the current Engine. Set the new desired time frame and click Apply.

Use the label selector to add or remove columns in the same way as you when creating the investigation.

this number is configurable
exporting the results of the investigation
Network activity
Web activity
Local activity
Enabling the Cross-Engine features in the Finder
Executing an investigation
Editing the options of an investigation
Creating an investigation
Viewing network connections
Viewing web requests
Viewing executions
edited the options of the investigation
Cross-Engine features in the Finder
a number of top objects
Time frame section
select the columns