Siren Platform User Guide

Changing the Visualization

Click Edit (fa-pencil.png) at the top right of a container to open the visualization in the Visualize page.3.5. Visualize

Working with filters

When you create a filter anywhere in Siren Investigate, the filter conditions display in an oval under the search text entry box:

filter sample

Moving the mouse pointer over the filter oval displays the following icons:

Filter all buttons.
Enable Filter (fa-check-square-o.png)
Click this icon to switch off the filter without removing it. You can enable the filter again later by clicking the icon again. Inactive filters are displayed with a striped shaded color.
Pin Filter (fa-thumb-tack-mod.png)
Click this icon to pin a filter. Pinned filters persist across Siren Investigate tabs. You can pin filters from the Visualize tab, click the Discover or Dashboard tabs, and those filters remain in place.

Note

If you have a pinned filter and you are not seeing any query results, check that your current tab’s index pattern is one that the filter applies to. For example, a filter name:giovanni will results in 0 results if pinned and therefore "dragged along" to a dashboard whose underlying index does not have a name field, let alone a giovanni value. For this reason a good pattern in Siren Investigate is to use Dashboard Groups to group together dashboard which are based on the same underlying index. In this case the user can safely pin and "drag along" a filter across dashboards in the same group.

Toggle Filter (fa-search-minus.png)
Click this icon to toggle a filter. By default, filters are inclusion filters, and are displayed in green. Only elements that match the filter are displayed. To change this to an exclusion filter, displaying only elements that do not match, toggle the filter. Exclusion filters are displayed in red.
Remove Filter (fa-trash.png)
Click this icon to remove a filter entirely.
Custom Filter (fa-pencil-square-o.png)
Click this icon to display a text field where you can customize the JSON representation of the filter and specify an alias to use for the filter name, for example, to filter the data to just the companies based in London:
London Companies Filter Example.

Adding the London Companies label to the filter displays that label on the filter bar:

London Companies Filter Bar

Omitting the label displays the filter query in the filter bar:

London Companies Filter Bar

You can use a JSON filter representation to implement predicate logic, with should for OR, must for AND, and must_not for NOT:

+ .OR Example

{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ]
  }
}

+ .AND Example

{
  "bool": {
    "must": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.city_name.raw": "New York"
        }
      }
    ]
  }
}

+ .NOT Example

{
  "bool": {
    "must_not": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      }
    ]
  }
}

Click Done to update the filter with your changes.

Note

See Query DSL documentation for more information on the possibilities.

To apply any of the filter actions to all the filters currently in place, click Actions+Global Filter Actions and select an action.

Multi-select dashboard filter

Filters applied using Multi-select and belonging to one field are ORed together into a single Filter.

Hold down Ctrl and click the required filters. Select Apply Now to apply filters.