Expanding the time frame of investigations in the Finder

Expanding the time frame of investigations in the Finder

Because of the large number of events that an Engine stores, investigations that iterate through activities or events may have a high computational cost for the Engine.

An investigation iterates through activities or events because of either one of the following reasons:

  • The investigation retrieves activities or events. For example, an investigation that lists all the executions that ran on a particular device during the last hour.
  • The investigation retrieves objects, but it does so under one or several of the following circumstances:
    • A condition on activities or events. For example, an investigation that lists the devices where a package was removed (uninstallation events) during the last day.
    • The computation of at least one aggregate that depends on activities or events and that is not pre-calculated for the full period available in the Engine. For example, an investigation that lists the devices with an outgoing network traffic bigger than 10 MB during the last hour.
    • A forced time frame restriction. For example, an investigation that lists the users with a time frame of last 1 day returns only the users that were active that last day.

These investigations do not admit the Full available period time frame because they could take too long to execute completely. In fact, to avoid long and costly computations in the Engine, the time frame of activity-related investigations is limited to a maximum of 7 days by default.

To circumvent the 7 days limit for investigations in the Finder, you need to manipulate the Windows registry. After removing the limit, the Finder allows you to query the Engine with investigations whose time frame spans up to the maximum number of days available in the Engine. Beware however that investigations with very long time frames may require more computation power from the Engine, rendering it less responsive and potentially impacting other users of the Finder, so you should handle this feature with care:

  1. In the computer where the Finder is installed, press Win(key)+R to display the run dialog.
  2. Type in regedit as the program to open in the dialog and press Enter. The Registry Editor opens.
  3. Browse the Windows registry in the Registry Editor and select the key HKEY_CURRENT_USER\Software\Nexthink.
    • If the key does not exist, create it by right-clicking the Software folder:
      1. Select New -> Key from the context menu.
      2. Type in 'Nexthink as the name of the new key.
      3. Right-click the area on the right-hand side of the Registry Editor that holds the list of values for the key.
      4. Select New -> DWORD (32-bit) Value from the context menu.
      5. Type in Remove7DayLimit as the name of the value.
  4. Right-click the value with the name Remove7DayLimit to change its data.
  5. Select Modify... in the context menu. The dialog to edit the value shows up.
  6. Set the value of the field Value data to 1 in the dialog.
  7. Click OK.

This method changes the value of the registry key in one computer only. Alternatively, you can use GPO to impose the same value for the registry key in all the computers where the Finder is installed.

The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.