Predefined Queries

Log in to the Nexthink web interface.
Select Administration from the main menu.
Click on NQL API queries in the navigation panel in the Content Management section.

Create a new NQL API query by clicking on the New NQL API query button in the top-right corner of the page.

Name: Enter the name as listed below in Predefined Queries.
Query ID: Ensure the identifier matches as listed below in Predefined Queries.
Description: (NQL API Analysis DO NOT DELETE)
NQL query: Copy and Paste the below NQL to each Query ensuring it's identical.

Ensure that the Infinity Transition Support Library Pack. is installed and the tenant address is configured in Application Experience. Application Name must be "Nexthink Infinity Transition".

Adoption and Usage

RA_Executions_Per_Day

remote_action.executions during past 30d
| summarize Total_RA_Executions = count() by 1d
| sort start_time desc

Successful_RA_Executions_Per_Day

remote_action.executions_summary during past 30d
| where status == success
| summarize Successful_Exections_Remote_Actions = count() by 1d
| sort start_time desc

Failing_RA_Executions_Per_Day

remote_action.executions_summary during past 30d
| where status == failure
| summarize Failing_Exections_Remote_Actions = count() by 1d
| sort start_time desc

RA_Executions_by_Purpose

remote_action.executions
| where status == success
| summarize Remote_Action_Executions = count() by purpose

RA_Executions_by_Trigger_Method

remote_action.executions_summary
| summarize Executed_RAs = remote_action.nql_id.count() by trigger_method
| sort Executed_RAs desc

Baselining

RA_Executions_by_Source

remote_action.executions
| summarize Remote_Action_Executions = nql_id.count() by source

RA_by_Number_of_Executions

remote_action.executions_summary
| summarize Executions = count() by remote_action.name
| sort Executions desc

Percentage_of_RAs_Per_Device

devices | include remote_action.executions during past 30d
| compute Executed_RAs = number_of_executions.sum() , total_devices = device.name.count()
| summarize Percentage_of_RAs_Per_Device = total_devices.sum() / executed_ras.sum() *100

Percentage_of_Users_Accessing_Device_View

users | include web.page_views during past 30d
| where application.name == "Nexthink Infinity Transition" and url == "*sup/device*"
| compute Count_Users_device_view = user.name.count()
| include web.events during past 30d
| where application.name == "Nexthink Infinity Transition"
| compute Count_Users_Web_Interface = user.name.count()
| summarize Percentage_of_Users_Accessing_Device_View = (Count_Users_device_view.sum() / Count_Users_Web_Interface.sum()) * 100

Percentage_of_Users_Accessing_Diagnostics

users | include web.page_views during past 30d
| where application.name == "Nexthink Infinity Transition" and url == "*/diagnostic/*"
| compute Count_Users_diag = user.name.count()
| include web.events during past 30d
| where application.name == "Nexthink Infinity Transition"
| compute Count_Users_Web_Interface = user.name.count()
| summarize Percentage_of_Users_Accessing_Diagnostics = (Count_Users_diag.sum() / Count_Users_Web_Interface.sum()) * 100

Percentage_of_Users_Accessing_Live_Dashboards

users
| include web.page_views during past 30d
| where application.name == "Nexthink Infinity Transition" and url == "*/dash/dashboards/*"
| compute Count_Users_live_dash = user.name.count()
| include web.events during past 30d
| where application.name == "Nexthink Infinity Transition"
| compute Count_Users_Web_Interface = user.name.count()
| summarize Percentage_of_Users_Accessing_Live_Dashboards = (Count_Users_live_dash.sum() / Count_Users_Web_Interface.sum()) * 100

Percentage_of_Users_Running_Investigatons

users
| include web.page_views during past 30d
| where (application.name == "Nexthink Infinity Transition" and url == "*inv/run*")
| compute Count_Users_Inv_ = user.name.count()
| include web.events during past 30d
| where application.name == "Nexthink Infinity Transition"
| compute Count_Users_Web_Interface = user.name.count()
| summarize Percentage_of_Users_Running_Investigatons = (Count_Users_Inv_.sum() / Count_Users_Web_Interface.sum()) * 100

Percentage_of_Users_Working_with_Checklists

users | include web.page_views during past 30d
| where application.name == "Nexthink Infinity Transition" and url == "*checklists*"
| compute Count_Users_checklists = user.name.count()
| include web.events during past 30d
| where application.name == "Nexthink Infinity Transition"
| compute Count_Users_Web_Interface = user.name.count()
| summarize Percentage_of_Users_Working_with_Checklists = (Count_Users_checklists.sum() / Count_Users_Web_Interface.sum()) * 100

Number_Of_Devices_With_Less_Than_10GB

device_performance.events
| where system_drive_free_space.avg <= 10GB
| summarize Number_Of_Devices_With_Less_Than_10GB = device.name.count()

Disk_Type

disks
| summarize Number_Of_Disks_By_Type = count() by type

Statistics and Diagnostics

Average_Free_Disk_Space

device_performance.events
| summarize AVG_System_Driver_Free_Space = system_drive_free_space.avg()

Devices_With_Poor_Boot_Time

devices
| with dex.scores
| where endpoint.boot_speed_value <= 30
| summarize Number_Of_Devices_With_Poor_DEX_Boot_Value = device.name.count()

Outlook.exe_Crashes_Last_7_Days_By_Version

execution.crashes during past 7d
| where binary.name == "outlook.exe"
| where number_of_crashes >= 1
| summarize no_of_devices = device.count() by binary.version

Outlook.exe_Freezes_Last_7_Days_By_Version

execution.events during past 7d
| where binary.name == "outlook.exe"
| where number_of_freezes >= 1
| summarize no_of_devices = device.count() by binary.version

Teams.exe_Crashes_Last_7_Days_By_Version

execution.crashes during past 7d
| where binary.name == "teams.exe"
| where number_of_crashes >= 1
| summarize no_of_devices = device.count() by binary.version

Teams.exe_Freezes_Last_7_Days_By_Version

execution.crashes during past 7d
| where binary.name == "teams.exe"
| where number_of_crashes >= 1
| summarize no_of_devices = device.count() by binary.version

Incoming_Traffic_By_Binaries

execution.events
| where binary.product_name != "*Operating System*"
| summarize Executions_ = count(), Devices_ = device.count(),
incoming_traffic_ = incoming_traffic.sum() by binary.name, binary.product_name, binary.platform
| sort incoming_traffic_ desc

Outgoing_Traffic_By_Binaries

execution.events
| where binary.product_name != "*Operating System*"
| summarize Executions_ = count(), Devices_ = device.count(), outgoing_traffic_ = outgoing_traffic.sum() by binary.name, binary.product_name, binary.platform
| sort outgoing_traffic_ desc

Devices_With_>5_Application_Freezes_24hrs

execution.events during past 24h
| where operating_system.name != "*server*" and product_name !in ["*windows*"]
| where number_of_freezes >= 5
| summarize no_of_devices = device.name.count()

Devices_With_>5_Application_Freezes_24hrs

execution.events during past 24h
| where operating_system.name != "*server*" and product_name !in ["*windows*"]
| where number_of_freezes >= 5
| summarize no_of_devices = device.name.count()

Number_Of_Devices_With_Crashes_Timeline_By_1d

execution.crashes during past 7d
| summarize device_Count_ = device.name.count() by 1d
| list start_time, end_time, device_Count_
| sort start_time asc

Number_Of_Devices_With_Freezes_Timeline_By_1d

execution.events during past 7d
| where number_of_freezes >= 1
| summarize device_Count_ = device.name.count() by 1d
| list start_time, end_time, device_Count_
| sort start_time asc

Number_Of_Devices_With_Crashes_Timeline_By_1d

execution.crashes during past 7d
| summarize device_Count_ = device.name.count() by 1d
| list start_time, end_time, device_Count_
| sort start_time asc

Average_Time_Until_Desktop_Is_Ready_By_Model

session.logins
| where operating_system.platform == Windows and operating_system.name != "*server*"
| summarize desktop_ready = time_until_desktop_is_ready.avg() by device.hardware.model

Poor_Average_Time_Until_Desktop_Is_Ready_By_Model

session.logins
| where operating_system.platform == Windows and operating_system.name != "*server*" and time_until_desktop_is_ready > 180s
| summarize desktop_ready = time_until_desktop_is_ready.avg() by device.hardware.model

Collaboration

Boot_Duration_By_Type

device_performance.boots
| where operating_system.platform == Windows and operating_system.name != "*server*"
| summarize boot_duration = duration.avg() by device.hardware.model
| sort boot_duration desc

Device_Model_By_Lowest_Battery_Health

devices
| where remote_action.get_battery_status.execution.outputs.BatteryHealth.rating == poor
| summarize battery_health_ = device.name.count() by hardware.model
| sort battery_health_ desc

DEX_Device_Score_By_Model

dex.scores during past 30d
| summarize endpoint_score = endpoint.value.avg() by device.hardware.model
| list device.hardware.model, endpoint_score
| sort endpoint_score desc

Login_Speed_By_Model

session.logins
| where operating_system.platform == Windows and operating_system.name != "*server*"
| summarize desktop_visible = time_until_desktop_is_visible.avg() by device.hardware.model
| sort desktop_visible desc

High_CPU_By_Model_Last_7Days

Number_Of_Devices_By_Manufacturer

devices during past 7d
| summarize Device_Count = count() by hardware.manufacturer
| sort Device_Count desc

Number_Of_Devices_By_Model

devices during past 7d
| summarize Device_Count = count() by hardware.model
| sort Device_Count desc

Number_Of_Devices_By_Build

devices during past 7d
| summarize Device_Count = count() by operating_system.name, operating_system.build
| sort Device_Count desc

Number_Of_Devices_By_Geolocation

devices during past 7d
| summarize Device_Count = count() by public_ip.country, public_ip.state, public_ip.city, public_ip.isp
| sort public_ip.country desc