Skip to content

Field Reference

Note

Quick lookup of available fields for each NQL table - field names, data types, and example usage to prevent "field not found" errors.

How to Use This Reference

When to use:

  • Building a new query and unsure which fields are available
  • Getting "field not found" errors
  • Exploring what data is available per table

How to read:

  • Field Name - Exact field name to use in your query
  • Type - Data type (string, number, duration, timestamp, etc.)
  • Description - What the field contains
  • Example Value - Typical data you'll see
  • Common Usage - Where you'd use this field (filter, compute, list)

Field Naming Pattern

  • Use . to access nested fields: device.operating_system.name
  • Use _ within field names: cpu_usage, free_memory
  • Event tables prefix some fields with event.: event.destination.domain

devices Table

Table type: Object (current state) Time selection: Not required (optional during past Xd for joins) Use for: Device inventory, hardware specs, current configuration

Top 25 Device Fields

Field Type Description Example Value Usage
device.name string Device hostname "LAPTOP-001" list, where, by
operating_system.name string OS name and version "Windows 11" where, list, by
operating_system.platform enum OS platform windows, macos, linux where, list, by
operating_system.version string Detailed OS version "22H2", "10.15.7" where, list
hardware.memory number (bytes) Total RAM 17179869184 (16GB) where, list (use .as(format = bytes))
hardware.model string Hardware model "HP EliteBook 840 G8" list, where
volumes.size number (bytes) Total disk size 512110190592 (512GB) list, where
last_seen timestamp Last contact with Nexthink 2026-01-09 14:32:15 list, where, sort
department string Department assignment "IT", "Sales" where, list, by
location string Physical location "New York Office" where, list, by
manufacturer string Device manufacturer "HP", "Dell", "Apple" where, list
model string Device model "EliteBook 840 G8" list, where
serial_number string Serial number "CND1234ABC" list, where
bios.version string BIOS version "U65 Ver. 01.12.00" list
number_of_logical_processors number CPU core count 8, 16 list, where
processor_name string CPU model "Intel Core i7-1185G7" list
chassis.type enum Form factor laptop, desktop, server where, list
domain string AD domain "CORP", "DOMAIN" where, list
ip_address string IP address "192.168.1.10" list, where
mac_address string MAC address "00:1A:2B:3C:4D:5E" list, where
agent_version string Nexthink agent version "6.30.1.1234" list, where
first_seen timestamp First contact 2025-06-15 09:12:00 list, where
owner string Assigned user "john.doe" list, where
cost_center string Cost center code "CC-1234" where, list, by
notes string Admin notes "VIP device" list

Example Queries - devices

Basic inventory: 

devices
| list device.name,
       operating_system.name,
       hardware.memory.as(format = bytes),
       last_seen
| limit 50

Windows 11 devices with >16GB RAM: 

devices
| where operating_system.name == "Windows 11"
  and hardware.memory > 17179869184
| list device.name,
       hardware.memory.as(format = bytes),
       processor_name,
       department
| sort hardware.memory desc
| limit 100

Devices not seen in 7 days: 

devices
| where last_seen < ago(7d)
| list device.name,
       last_seen,
       operating_system.name,
       location
| sort last_seen asc
| limit 100

execution.events Table

Table type: Event (sampled data, 5-15 min intervals) Time selection: REQUIRED - during past Xd or past Xh Retention: 8 days (high-res), 30 days (low-res) Use for: Process execution, CPU/memory usage, application activity

Top 25 Execution Event Fields

Field Type Description Example Value Usage
binary.name string Executable name "outlook.exe" where (filter early!)
application.name string Application name "Microsoft Outlook" where, by, list
cpu_time number (ms) CPU time consumed 15234 (15.2 sec) .avg(), .sum()
real_memory number (bytes) Memory usage 524288000 (~500MB) .avg(), .max()
execution_duration number (ms) How long process ran 3600000 (1 hour) .sum(), .avg()
number_of_started_processes number Process starts 5 .sum()
number_of_logical_processors number CPU cores available 8 .max()
device.name string Device hostname "LAPTOP-001" by, where, list
user.name string Username "john.doe" by, where, list
context.os_name string OS at event time "Windows 10" where, by
context.device_platform enum Platform at event time windows where, by
context.department string Department at event time "IT" where, by
context.location string Location at event time "NYC Office" where, by
context.hardware_model string Hardware model at event "EliteBook 840" where, by
incoming_traffic number (bytes) Download bandwidth 5242880 (5MB) .sum(), .avg()
outgoing_traffic number (bytes) Upload bandwidth 1048576 (1MB) .sum(), .avg()
connection_establishment_time number (ms) Network RTT 45 (45ms) .avg(), .max()
number_of_established_connections number Successful connections 25 .sum()
number_of_no_host_connections number Failed (no host) 2 .sum()
number_of_no_service_connections number Failed (no service) 1 .sum()
number_of_rejected_connections number Rejected connections 0 .sum()
binary.version string Executable version "16.0.15225.20288" where, by, list
binary.publisher string Software publisher "Microsoft Corporation" where, list
startup_duration number (ms) Application startup time 3500 (3.5 sec) .avg()
binary.size number (bytes) Executable file size 2097152 (2MB) list

Example Queries - execution.events

Outlook CPU usage by device: 

execution.events during past 7d
| where binary.name == "outlook.exe"
| summarize
    avg_cpu = cpu_time.avg(),
    avg_memory = real_memory.avg(),
    total_execution_time = execution_duration.sum()
  by device.name
| list device.name,
       avg_cpu,
       avg_memory.as(format = bytes),
       total_execution_time
| sort avg_cpu desc
| limit 20

Process activity trend: 

execution.events during past 30d
| where binary.name in ["outlook.exe", "teams.exe", "chrome.exe"]
| summarize
    unique_devices = device.count(),
    avg_cpu = cpu_time.avg()
  by 1d, binary.name
| sort start_time asc

execution.crashes Table

Table type: Event (discrete events) Time selection: REQUIRED - during past Xd Retention: 30 days Use for: Application stability, crash analysis

Top 15 Crash Event Fields

Field Type Description Example Value Usage
binary.binary.name string Crashed executable "outlook.exe" where
binary.real_binary.name string Actual crashed binary "outlook.exe" where
binary.real_binary.version string Crashed binary version "16.0.15225.20288" by, list
application.name string Application name "Microsoft Outlook" where, by, list
device.name string Device that crashed "LAPTOP-001" by, list
user.name string User who experienced crash "john.doe" by, list
crash.type string Crash type "exception", "hang" where, by, list
crash.exception_code string Exception code "0xC0000005" list, where
crash.module string Faulting module "ntdll.dll" list, where
context.os_name string OS when crash occurred "Windows 11" where, by
context.department string Department at crash time "Sales" where, by
timestamp timestamp When crash occurred 2026-01-09 10:15:32 list, where
binary.publisher string Software publisher "Microsoft Corporation" list, where
binary.product_name string Product name "Microsoft Office" list, where
operating_system.version string OS version "22H2" list, where

Example Queries - execution.crashes

Crash analysis by version: 

execution.crashes during past 7d
| where binary.binary.name == "outlook.exe"
| summarize
    crash_count = count(),
    affected_devices = device.name.count(),
    affected_users = user.name.count()
  by binary.real_binary.version
| list binary.real_binary.version,
       crash_count,
       affected_devices,
       affected_users
| sort crash_count desc
| limit 20

Daily crash trend: 

execution.crashes during past 30d
| where application.name == "Microsoft Outlook"
| summarize crash_count = count() by 1d
| sort start_time asc

device_performance.events Table

Table type: Event (sampled data, 5-15 min intervals) Time selection: REQUIRED - during past Xd or past Xh Retention: 30 days (both resolutions) Use for: System performance (CPU, memory, disk)

Top 15 Performance Fields

Field Type Description Example Value Usage
cpu_usage.avg number (percent) CPU utilization 45.2 (45.2%) where, .avg(), .max()
free_memory number (bytes) Available RAM 8589934592 (8GB) .avg(), .last()
free_disk_space number (MB) Available disk space 102400 (100GB) .last(), .avg()
disk_read_rate number (bytes/sec) Disk read speed 1048576 (1MB/s) .avg(), .max()
disk_write_rate number (bytes/sec) Disk write speed 524288 (512KB/s) .avg(), .max()
network_bandwidth_in number (bytes/sec) Download speed 10485760 (10MB/s) .avg(), .sum()
network_bandwidth_out number (bytes/sec) Upload speed 1048576 (1MB/s) .avg(), .sum()
device.name string Device hostname "LAPTOP-001" by, where, list
device.hardware.memory number (bytes) Total RAM 17179869184 (16GB) .max()
device.volumes.size number (bytes) Total disk size 512110190592 (512GB) .max()
context.os_name string OS at event time "Windows 11" where, by
context.department string Department at event "IT" where, by
timestamp timestamp Event timestamp 2026-01-09 14:30:00 list
uptime number (seconds) System uptime 864000 (10 days) .avg(), list
running_processes number Process count 152 .avg()

Example Queries - device_performance.events

High CPU devices: 

devices during past 7d
| include device_performance.events
| where cpu_usage.avg > 50
| compute
    avg_cpu = cpu_usage.avg(),
    peak_cpu = cpu_usage.avg.max()
| list device.name,
       avg_cpu.as(format = percent),
       peak_cpu.as(format = percent)
| sort avg_cpu desc
| limit 20

Low disk space: 

devices during past 7d
| include device_performance.events
| compute free_space_gb = free_disk_space.last() / 1000
| where free_space_gb < 20
| list device.name,
       free_space_gb.as(format = bytes)
| sort free_space_gb asc
| limit 50

connection.events Table

Table type: Event (sampled data) Time selection: REQUIRED - during past Xd or past Xh Retention: 8 days (high-res), 30 days (low-res) Use for: Network connections, bandwidth, latency

Top 20 Connection Fields

Field Type Description Example Value Usage
event.destination.domain string Destination domain "api.service.com" where, by, list
event.destination.ip string Destination IP "192.168.1.10" where, list
event.destination.port number Destination port 443, 80 where, by, list
event.number_of_connections number Total connections 150 .sum()
event.number_of_established_connections number Successful connections 140 .sum()
event.number_of_no_host_connections number No host failures 5 .sum()
event.number_of_no_service_connections number No service failures 3 .sum()
event.number_of_rejected_connections number Rejected connections 2 .sum()
event.failed_connection_ratio number (percent) Failure rate 0.067 (6.7%) .avg(), where
incoming_traffic number (bytes) Download bandwidth 10485760 (10MB) .sum(), .avg()
outgoing_traffic number (bytes) Upload bandwidth 1048576 (1MB) .sum(), .avg()
connection_establishment_time number (ms) RTT latency 45 (45ms) .avg(), .max()
device.name string Device hostname "LAPTOP-001" by, where, list
binary.name string Process name "outlook.exe" where, by, list
application.name string Application name "Microsoft Outlook" where, by, list
context.os_name string OS at event time "Windows 11" where, by
context.location string Location at event "NYC Office" where, by
user.name string Username "john.doe" by, list
protocol string Network protocol "TCP", "UDP" where, list
timestamp timestamp Event timestamp 2026-01-09 14:30:00 list

Example Queries - connection.events

Connection failures by domain: 

connection.events during past 7d
| where event.destination.domain = "*.company.com"
  and event.failed_connection_ratio >= 0.10
| summarize
    total_connections = event.number_of_connections.sum(),
    failed_connections = (event.number_of_no_host_connections.sum() +
                          event.number_of_no_service_connections.sum()),
    avg_failure_rate = event.failed_connection_ratio.avg(),
    affected_devices = device.name.count()
  by event.destination.domain
| list event.destination.domain,
       total_connections,
       avg_failure_rate.as(format = percent),
       affected_devices
| sort avg_failure_rate desc
| limit 20

Network latency analysis: 

connection.events during past 7d
| where event.destination.domain = "*.service.com"
| summarize
    avg_rtt = connection_establishment_time.avg(),
    max_rtt = connection_establishment_time.max()
  by event.destination.domain
| list event.destination.domain,
       avg_rtt,
       max_rtt
| sort avg_rtt desc
| limit 20

web.page_views Table

Table type: Event (per page view) Time selection: REQUIRED - during past Xd Retention: 30 days Use for: Web application performance, page load times

Top 15 Web Performance Fields

Field Type Description Example Value Usage
application.name string Web application "Salesforce", "Confluence" where, by, list
page_load_time.backend number (ms) Server response time 1250 (1.25 sec) .avg(), .max()
page_load_time.frontend number (ms) Client rendering time 850 (0.85 sec) .avg(), .max()
page_load_time.total number (ms) Total page load 2100 (2.1 sec) .avg(), .max()
page_url string Page URL "/dashboard" where, list
page_title string Page title "Dashboard - Salesforce" list
device.name string Device hostname "LAPTOP-001" by, where, list
user.name string Username "john.doe" by, list
browser.name string Browser used "Chrome", "Edge" where, by, list
browser.version string Browser version "120.0.6099.130" list
response_code number HTTP status code 200, 404, 500 where, list
bytes_downloaded number (bytes) Page size 1048576 (1MB) .sum(), .avg()
context.location string Location at page view "NYC Office" where, by
timestamp timestamp When page loaded 2026-01-09 14:30:00 list
dns_lookup_time number (ms) DNS resolution time 15 (15ms) .avg()

Example Queries - web.page_views

Salesforce load times by device: 

web.page_views during past 7d
| where application.name == "Salesforce"
| summarize
    avg_load_time = page_load_time.total.avg(),
    max_load_time = page_load_time.total.max(),
    page_count = count()
  by device.name
| list device.name,
       avg_load_time,
       max_load_time,
       page_count
| sort avg_load_time desc
| limit 20

Web app performance comparison: 

web.page_views during past 7d
| where application.name in ["Salesforce", "Jira", "Confluence"]
| summarize
    avg_backend_time = page_load_time.backend.avg(),
    avg_frontend_time = page_load_time.frontend.avg(),
    page_views = count()
  by application.name
| list application.name,
       avg_backend_time,
       avg_frontend_time,
       page_views
| sort avg_backend_time desc

context vs device Fields

Understanding the difference prevents common query errors.

context Fields (Historical)

What: Values at the time the event occurred Prefix: context.* Use when: You need historical state or are analyzing event data

Common context fields:

  • context.os_name - OS when event happened
  • context.device_platform - Platform at event time
  • context.hardware_model - Hardware at event time
  • context.department - Department at event time
  • context.location - Location at event time

Example scenario:

Device upgraded from Windows 10 to Windows 11 yesterday.

/* Events from last week show historical OS */
execution.events during past 7d
| list device.name,
       context.os_name,              # Shows "Windows 10" for old events
       device.operating_system.name  # Shows "Windows 11" (current)

device Fields (Current)

What: Current device state (as of right now) Prefix: device.* Use when: You need current configuration or inventory state

Common device fields:

  • device.name - Current hostname
  • device.operating_system.name - Current OS
  • device.operating_system.platform - Current platform
  • device.hardware.memory - Current RAM (doesn't change often)
  • device.department - Current department assignment

Example:

/* Current device inventory */
devices
| list device.name,
       device.operating_system.name,  # Current OS
       device.hardware.memory,         # Current RAM
       device.department               # Current dept

When to Use Which

Scenario Use Example
Trending by OS version over time context.os_name Crash trend by OS at crash time
Current inventory report device.operating_system.name List of all Windows 11 devices
Performance by historical department context.department CPU by department at event time
Filter events by current device state device.* Events from devices currently in IT dept
"What was the environment when this happened?" context.* OS/dept/location at event time
"What is this device now?" device.* Current OS/dept/location

Data Type Reference

Understanding data types helps choose the right operators and functions.

Type Description Operators Aggregations Formatting
string Text values ==, !=, in, = (wildcards) .count() -
number Integers, decimals >, <, >=, <=, ==, != .sum(), .avg(), .max(), .min() .as(format = ...)
timestamp Date/time >, <, >=, <=, == .last(), .max(), .min() -
duration Time spans (ms, sec) >, <, >=, <= .sum(), .avg(), .max() -
enum Fixed set of values ==, !=, in .count() -
boolean true/false ==, != - -

Number subtypes:

  • bytes - Memory, disk space, file sizes (use .as(format = bytes))
  • milliseconds - Durations, latencies
  • percent - 0-100 scale (use .as(format = percent) for 0-1 scale)

Common Field Patterns

Pattern: Hardware Specifications

devices
| list device.name,
       hardware.memory.as(format = bytes),
       hardware.model,
       number_of_logical_processors,
       volumes.size.as(format = bytes)

Pattern: Network Performance

connection.events during past 7d
| where event.destination.domain = "*.company.com"
| summarize
    avg_rtt = connection_establishment_time.avg(),
    total_bandwidth = (incoming_traffic.sum() + outgoing_traffic.sum()),
    failure_rate = event.failed_connection_ratio.avg()
  by event.destination.domain

Pattern: System Performance

devices during past 7d
| include device_performance.events
| compute
    avg_cpu = cpu_usage.avg(),
    avg_free_memory = free_memory.avg(),
    free_disk_gb = free_disk_space.last() / 1000
| list device.name,
       avg_cpu.as(format = percent),
       avg_free_memory.as(format = bytes),
       free_disk_gb.as(format = bytes)

Tips for Using Fields

Check Field Exists on Your Table

Not all fields are available on all tables. If you get "field not found" errors: - Verify you're using the right table - Check this reference for field availability - Use device.field vs context.field appropriately

Use .as(format = ...) for Readability

Format bytes, percentages, and currency for better output: 

/* Raw output: 17179869184 */
| list hardware.memory

/* Formatted output: 16 GB */
| list hardware.memory.as(format = bytes)

Smart Aggregates: .avg() vs .avg

  • .avg - Database field (pre-computed, use in where)
  • .avg() - Aggregation function (compute average, use in compute/summarize) 
    /* Filter by pre-computed average */
| where cpu_usage.avg > 50

/* Compute true average */
| compute avg_cpu = cpu_usage.avg()

Event Fields Require Time Selection

/* ❌ ERROR - missing time window */
execution.events
| summarize count by binary.name

/* ✅ CORRECT */
execution.events during past 7d
| summarize count by binary.name

Don't Mix context and device for Same Field

/* ❌ INCONSISTENT - comparing different data */
execution.events during past 7d
| where context.os_name == "Windows 10"  # OS at event time
  and device.operating_system.name == "Windows 11"  # Current OS
/* This finds devices that UPGRADED! */

/* ✅ CONSISTENT - use one or the other */
| where context.os_name == "Windows 10"

Additional Resources