LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy
On this page
  • Overview
  • Exploring activities in the timelines
  • Navigating through history
  • Zooming
  • Timeline sections of the user view
  • Devices
  • Printers
  • Services
  • Timeline sections of the device view
  • Alerts
  • Errors
  • Warnings
  • Activity
  • Network services
  • Web services
  • Users

Was this helpful?

  1. User manual
  2. Visualizing system activity in the Finder

Graphically observing the activity of users and devices

Last updated 9 months ago

Was this helpful?

Overview

To see at a glance the recent activities, scores, or detailed properties of a particular user or device, respectively open the user view or the device view in the Finder. Both the user and the device views include a Timeline tab and a Properties tab, as well as up to ten score tabs:

  • Select the Timeline tab to explore the activities of a user or device in chronological order.

  • Select the Properties tab to display detailed information about a user or device.

  • Select a score tab to see the breakdown of the ratings of a user or device, according to the aspects covered by the main score. Optionally launch remote actions on devices with a low score when the documentation of the score includes links to remote actions.

By default, the device and user views open the Timeline tab.

To open the user view or the device view of a particular user or device, either:

  • and click the name of the user or device in the results of the search.

  • From the list of results of an investigation based on users or devices, right-click the entry of the user or device and select Display user view or Display device view, or double-click the entry of the user or device, or select it and press Enter.

  • From any of the other graphical views of the results of an investigation (Network, Web or Local activity views) that display users or devices, right-click the name or the icon of a user or device and select Display user view or Display device view.

  • From the user view itself, open the device view of any of the devices listed in the Devices section of the Timeline tab, or listed in the Last user activity section of the Properties tab, by clicking their name.

  • Likewise, from the device view, open the user view of any of the users that interacted with the device, displayed in the section Users of the Timeline tab, by clicking their name.

At the top of the view, get basic information about the selected object:

User view
Device view

Name

The name of the user.

Type

The class of user: local, domain or system.

First Seen

The first time of recorded user activity.

Last Seen

The last time of recorded user activity.

Name

The name of the device.

Platform icon

A pictorial representation of the platform of the device: Windows or macOS.

Entity

The leaf node in the hierarchy, followed by the name of the Engine between parentheses, to which the device belongs.

Last IP address

The IP address of the device during its last recorded connection.

Last Seen

The last time of recorded device activity.

Below this basic object information, find the buttons that let you switch between the Timeline, Properties, and scores tabs. When selecting the Properties tab, a comparison tool appears to the right of the basic object information. Because this section focuses on visualizing system activity, the rest of this article is dedicated to the Timeline tab. To know more about the Properties tab, see the article on . For more information about the score tabs, see how to .

To refresh the view, click the button with a circular arrow placed to the far right of the tab selection buttons. Refreshing the view is particularly useful when it is open for a long time and you want to see the last activity of a user or device.

Exploring activities in the timelines

The Timeline tab displays in fact several timelines grouped by sections. While the actual sections and their content depend on the type of object observed (user or device), the techniques to explore the timelines remain essentially the same.

To know the time scale of the timelines, find a ruler at the top of the view that divides the horizontal space in equal parts. Each subdivision of the ruler corresponds to a time interval of the recent history of the user or device under examination. Date and time labels in the ruler indicate the precise moment associated to a subdivision mark. In accordance with the ruler, an activity or event in the timelines found by following down a vertical line from a particular subdivision occurred during the time interval associated to that subdivision.

Hover the mouse cursor over a timeline with data and keep it there for a moment. A kind of structured tooltip eventually shows up. The tooltip summarizes the activities and events related to the timeline that happened during the time slot under the mouse cursor. A vertical and a horizontal dashed lines, crossing at the timeline slice pointed by the mouse cursor, show up shortly after the tooltip to help you locate the time interval in the ruler and the title of the timeline.

To investigate further what happened during a timeline slice, right-click the timeline at the point of interest. A context menu displays a list of options that let you open different views or drill down to related items, depending on the particular timeline. To directly drill down to the related main objects or events instead, double-click the timeline .

By default, the Timeline tab displays the last 24 hours in the history of a user or device.

Navigating through history

To the left of the date and time ruler, click the button with a triangle pointing to the left to go back in time. Likewise, click the button to the right of the ruler that depicts a triangle pointing to the right to go forward in time. For displaying data further in the past or closer to the present, the ruler and the timelines scroll right or left accordingly, following the opposite direction of the arrow clicked.

Alternatively, hover the mouse pointer over the ruler. The pointer turns into a double-headed horizontal arrow. Click and drag the pointer to the left to go forward in time. To go back in time, click and drag the pointer to the right. The ruler and the timelines scroll as you drag the mouse pointer.

The available history is limited by the amount of events recorded in the in-memory database of the Engine. The Finder stops scrolling to the past once you reach the time of the oldest event in the database. For completeness, the Finder lets you scroll a few hours into the future. It does not make much sense to go beyond the present time though, as the future is naturally empty of data.

Zooming

The default settings of the Timeline tab let you see the last 24 hours of a user or device. At that zoom level, every subdivision in a timeline represents a time interval of 30 minutes. With this granularity, two events separated by ten minutes, for instance, may reside in the same time slot, giving the appearance of simultaneity.

To know which event happened first, select an area surrounding the apparently simultaneous events and zoom in:

  1. Click the part of the timeline located immediately before the events of interest and keep the mouse left button pressed.

  2. Drag the mouse cursor over the events of interest and release the mouse button as soon as you have covered them with a rectangular selection area.

  3. Click the magnifying glass with the plus sign that is placed in the top right corner of the timelines or press Enter.

This zoom in button is enabled only when you have selected an area in the timelines. It also gets disabled when you reach the maximum allowed resolution (one second per subdivision).

Some timelines related to events also propose an option to zoom in in their context menu. As an alternative to the zooming method proposed above, right-click the timeline and select Zoom in on events when available.

To zoom out to the previous level, click the magnifying glass with the minus sign in the top right corner of the timelines or press Backspace. The zoom out button is enabled until you reach the maximum time span allowed (7 days).

To go back to the default 24 hours view, click the house icon placed to the left of the two magnifying glasses.

Timeline sections of the user view

In the timelines of the user view, find events and activities related to the devices with which the user interacted, the print jobs that the user started and the services that the user accessed.

Remember that timelines are actionable. Right-clicking a point in the timeline brings up a context menu with drill-downs and other options to jump to information related to the data in the timeline.

Applies to platforms | Windows | macOS |

Devices

Windows or Mac

Device alerts

Occurrences of investigation-based alerts.

Errors

Applications not responding or crashing, system crashes (Windows bluescreens or macOS kernel panics) and hard resets.

Warnings

Notifications of high cpu load, high memory usage, or a big number input and output operations or page faults.

Interaction

Times when the user was active on that device (with the keyboard or the mouse), in addition to system boots and user logons.

Citrix RTT

The measure of the user screen lag.

Session network latency

Indication of the time delay between a user action and its visual response.

Windows and Mac devices share the same timelines, but warnings about IO operations or page faults are available for Windows devices only.

For device events to appear in the user view, they must be related to some user interaction with the machine.

Printers

For each printer, find the print jobs that the user has sent. Click the plus icon to the left of the name of the printer to break down the print jobs by device. Each print job appears then on a different timeline depending on the device that the user employed to send the print job.

Services

See the activity of the user in relation to the services that you have defined. Click the plus button to the left of the name of the service to break down the activity by device. Again, if Cross-Engine features are enabled, devices located on a different Engine from the Engine to which the Finder is currently connected are also shown on the list.

Depending on how you defined the service, you can further break down to the activity of the executables that compose the service.

Timeline sections of the device view

In the timeline, you can quickly detect whether the computer generated any alert, experienced any error or warning, had new software installed, connected properly to networked services, etc. This information is presented in different sections.

Note as well that a same device that has connected to several Engines because it changed its assignment, is seen as a different device by each Engine. Therefore, all the data in the device view comes from a single Engine and there is no merged data, even when the Cross-Engine features are enabled.

From top to bottom, the timeline of the device view displays the sections detailed below.

Applies to platforms | Windows | macOS |

Alerts

There are two separate sections:

  • Global alerts.

  • My alerts (user-defined alerts).

Each defined alert has its own timeline. Occurrences of the alert are marked in the timeline, graphically showing their start time and the duration. For the sake of clarity, only alerts that have been triggered during the selected time frame are displayed.

To see the exact time of triggering and the duration of an alert, hover the mouse cursor over the occurrence of the alert. If more than one occurrences of the alert overlap, the hovering tooltip gives you a list of all the occurrences.

To see a list of all the devices that triggered an alert, right-click the mark of the alert in the time-line, choose an occurrence if more than one is available and select Show Alert.

Errors

Warnings

Warnings are represented in the timeline as small boxes. The intensity of the color that fills the box indicates the severity of the warning. The more intense the color is, the more severe is the warning. High memory usage, high IO operations, and high page faults warnings use a yellow shade to signal the condition in the timeline.

On their turn, high CPU warnings signal their condition with two different colors, depending on the particular cause for issuing the warning:

  • Yellow, if the overall load in the CPU of the device is high, regardless of the load being caused by the execution of a few or a lot of applications.

  • Blue, if some specific applications have a high CPU consumption, but this load is not enough to signal an overall warning for the device.

Activity

In the Activity section, you find information about momentary activities, such as the detection of new binaries, print jobs, sytem boots, user logons and package and patch installations and uninstallations. You find as well information on lasting activities such as executions and connections.

Momentary activities are shown in their own timeline as blue circles with a number inside that indicates the number of overlapping events, similar to the red circles used for displaying errors. Lasting activities, in turn, are shown as blue squared boxes in the timeline, where the brightness of the color indicates the level of the activity (number of executions or connection traffic), similar to the boxes that are used to display warnings. As usual, if the system did not perform any activity of a certain type the activity is not shown at all, instead of displaying an empty timeline.

For lasting activities, that is Connections and Executions, hovering the mouse over a blue box yields:

  • For Connections, the amount of traffic registered during the time span of the box.

  • For Executions, the number of processes run on the time span of the box.

You can drill-down from a box of a lasting activity to the list of individual connections or executions that make it up by right-clicking in the box and selecting Show connections or Show executions. Connections have an additional option Show network activity that lets you navigate directly to a Network activity view and specify the metric to see in it (traffic in, traffic out, failed connections, etc).

In the Activity section, yellow color in the timeline warns you about administrator activity. A warning message notifies the use of administration privileges when you hover the mouse cursor over an activity timeline with yellow color. Two kinds of activities use a yellow display when they are carried out by users with administration privileges: User logons and Executions.

  • When a user logs in to a device with administrator privileges, the circle representing the user logon activity is no longer blue, but yellow.

  • When a program is run with administrative privileges, the blue boxes that show the executions are crossed by a yellow line to warn that at least one had admin privileges.

Network services

For every defined network-based service, you see a timeline indicating the status of the connections of the selected device to the service. Network connections to the service are displayed again as blue boxes. If any connection problem is detected, the blue boxes are crossed by a yellow line to indicate a warning and by a red line to indicate an error.

To open the Service view, click the name of the service at the beginning of the timeline or double-click a box in the timeline. There you find detailed information about the service for the last 24 hours.

Finally, you can also navigate to the Network activity view of the connections to the service from the timeline by right-clicking on any box and selecting Show network activity. Double-click in the box, as with connections in the Activity section.

Web services

If you installed the Web & Cloud product as an addition to the Nexthink Platform, you find a Web services section in the device view dedicated to web-based services. This section is very similar to the one dedicated to network-based services.

By hovering the mouse cursor over the boxes in the timeline, you get the statistics about the web-based service: traffic, requests, type of responses, average response time, etc.

To open the Service view, click the name of the web-based service at the beginning of the timeline or double-click a box in the timeline. To navigate to the Web activity view, right-click a box in the timeline and select Show web activity.

Users

In the lower part of the device view, you find the timelines that list the users who interacted with the system. There is a timeline for each one of them and the associated account name is displayed on the left side.

For privacy reasons, measurement of the interaction time of the user with the computer can be disabled. If user interaction measurement is disabled, the User interaction data is not displayed.

Click the name of a user to open the corresponding User view.


RELATED TASKS

RELATED CONCEPT

RELATED REFERENCES

For every active device linked to the user, find one or several timelines associated to it. If are enabled in the Finder, the section includes those devices located on any Engine; otherwise, the section only displays the devices located on the Engine to which the Finder is currently connected. The information displayed in the timelines depends on the platform of the device. For Windows or Mac devices, a main timeline groups all the information available. Click the plus icon to the left of the name of the Windows or Mac device to expand the main timeline into its individual components.

Signal errors in the device, such as application or system crashes. The error is shown in the timeline as a red circle with a number inside. The number inside the circle is bigger than one if more than one error condition overlap in the timeline. Hovering the mouse over the circle gives you a (or the reasons, in the case of overlapping errors).

Hovering the mouse cursor over a warning displays a . For example, when hovering over warnings on applications using too much CPU or memory, a tooltip gives you a list of the applications that contributed the most to consumption of these resources.

For every momentary activity, hovering the mouse cursor over the blue circle gives you a . For instance, hovering over a New binaries occurrence in the timeline displays a list of the binaries whose execution has been detected for the first time at that precise moment. Right-clicking in a blue circle of a momentary activity lets you choose among different options depending on the type of activity.

To see a (total traffic, number of connections, failed connections, response time, etc), hover the mouse over the desired box in the timeline. Additionally, you get a summary list of the errors and warnings that happened during the period delimited by the box, if any.

For the users connecting remotely, the timeline provides additional information. The quality of the data transfer is monitored using the . If the connection is done using the ICA protocol, the is available. Executions initiated by the user are also added to the timeline.

Cross-Engine features
summary of the reason for the error
summary of the reasons for the warning
summary list of the causes for displaying the activity
summary with the statistics of the connections to the service
session network latency
Citrix RTT
Comparing the properties of users and devices
Checking and comparing ratings
Enabling Cross-Engine Finder features
Session metrics
Device
Errors and warnings for devices and executions
Alerts tooltips
Errors tooltips
Warnings tooltips
Activity tooltips
Services tooltips
properties of users and devices
check the ratings of users and devices
Look for the user or device in the search box of the Start page