Siren Platform User Guide

Setting advanced options

The Advanced Settings page enables you to directly edit settings that control the behavior of the Siren Investigate application. For example, you can change the format used to display dates, specify the default index pattern, and set the precision for displayed decimal values.

  1. Go to  ManagementAdvanced Settings.
  2. Click Edit for the option you want to modify.
  3. Enter a new value for the option.
  4. Click Save.

Warning

Modifying the following settings can significantly affect Siren Investigate’s performance and cause problems that are difficult to diagnose. Setting a property’s value to a blank field will revert to the default behavior, which may not be compatible with other configuration settings. Deleting a custom setting removes it from Siren Investigate permanently.

Table 14. Common settings

Name

Description

Example

sentinl:experimental

Enable experimental features in Siren Alert.

false

query:queryString:options

Options for the Lucene query string parser.

{ "analyze_wildcard": true }

sort:options

Options for the Elasticsearch sort parameter.

{ "unmapped_type": "boolean" }

dateFormat

The format to use for displaying formatted dates.

DD/MM/YYYY

dateFormat:tz

The timezone that Siren Investigate uses. The default value of Browser uses the timezone detected by the browser.

Browser

dateFormat:scaled

These values define the format used to render ordered time-based data. Formatted timestamps must adapt to the interval between measurements. Keys are ISO8601 intervals.

[ ["", "HH:mm:ss.SSS"], ["PT1S", "HH:mm:ss"], ["PT1M", "HH:mm"], ["PT1H", "YYYY-MM-DD HH:mm"], ["P1DT", "YYYY-MM-DD"], ["P1YT", "YYYY"] ]

dateFormat:dow

This property defines what day weeks should start on.

Sunday

defaultIndex

Default is null. This property specifies the default index.

index-pattern:company

defaultColumns

Default is _source. Defines the columns that appear by default on the Discover page.

_source

metaFields

An array of fields outside of _source. Siren Investigate merges these fields into the document when displaying the document.

_source, _id, _type, _index, _score

discover:sampleSize

The number of rows to show in the Discover table.

50

discover:aggs:terms:size

Determines how many terms will be visualized when clicking the "visualize" button, in the field boxes, in the discover sidebar. The default value is 20.

20

doc_table:highlight

Highlight results in Discover and Saved Searches Dashboard. Highlighting makes request slow when working on big documents. Set this property to false to switch off highlighting.

true

doc_table:highlight:all_fields

Improves highlighting by using a separate highlight_query that uses all_fields mode on query_string queries. Set to false if you are using a default_field in your index.

true

courier:maxSegmentCount

Siren Investigate splits requests in the Discover page into segments to limit the size of requests sent to the Elasticsearch cluster. This setting constrains the length of the segment list. Long segment lists can significantly increase request processing time.

30

courier:ignoreFilterIfFieldNotInIndex

Set this property to true to skip filters that apply to fields that do not exist in a visualization’s index. Useful when dashboards consist of visualizations from multiple index patterns.

false

fields:popularLimit

This setting governs how many of the top most popular fields are shown.

10

histogram:barTarget

When date histograms use the auto interval, Siren Investigate attempts to generate this number of bars.

50

histogram:maxBars

Date histograms are not generated with more bars than the value of this property, scaling values when necessary.

100

visualization:tileMap:maxPrecision

The maximum geohash precision displayed on tile maps: 7 is high, 10 is very high, 12 is the maximum. Explanation of cell dimensions.

7

visualization:tileMap:WMSdefaults

Default properties for the WMS map server support in the coordinate map.

{ "enabled": false, "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer", "options": { "version": "1.3.0", "layers": "0", "format": "image/png", "transparent": true, "attribution": "Maps provided by USGS", "styles": "" } }

visualization:regionmap:showWarnings

Whether the region map shows a warning when terms cannot be joined to a shape on the map.

true

visualization:colorMapping

Maps values to specified colors within visualizations.

{"Count":"#6eadc1"}

visualization:loadingDelay

Time to wait before dimming visualizations during query.

2s

visualization:dimmingOpacity

When part of a visualization is highlighted, by moving the mouse pointer over it for example, this is the opacity applied to the other elements. A higher number means other elements will be less opaque.

0.5

csv:separator

A string that serves as the separator for exported values.

,

csv:quoteValues

Set this property to true to quote exported values.

true

history:limit

In fields that have history, such as query inputs, the value of this property limits how many recent values are shown.

10

shortDots:enable

Set this property to true to shorten long field names in visualizations. For example, instead of foo.bar.baz, show f.b.baz.

false

truncate:maxHeight

This property specifies the maximum height that a cell occupies in a table. A value of 0 switches off truncation.

115

indexPattern:fieldMapping:lookBack

The value of this property sets the number of recent matching patterns to query the field mapping for index patterns with names that contain timestamps.

5

format:defaultTypeMap

A map of the default format name for each field type. Field types that are not explicitly mentioned use "default".

{ "ip": { "id": "ip", "params": {} }, "date": { "id": "date", "params": {} }, "number": { "id": "number", "params": {} }, "boolean": { "id": "boolean", "params": {} }, "_source": { "id": "_source", "params": {} }, "_default_": { "id": "string", "params": {} } }

format:number:defaultPattern

Default numeral format for the "number" format.

0,0.[000]

format:bytes:defaultPattern

Default numeral format  numeral format for the "bytes" format.

0,0.[000]b

format:percent:defaultPattern

Default numeral format  numeral format for the "percent" format.

0,0.[000]%

format:currency:defaultPattern

Default numeral format  numeral format for the "currency" format.

($0,0.[00])

savedObjects:perPage

The number of objects shown on each page of the list of saved objects. The default value is 5.

5

savedObjects:listingLimit

Number of objects to fetch for the listing pages.

1000

timepicker:timeDefaults

The default time filter selection.

{ "from": "now-15m", "to": "now", "mode": "quick" }

timepicker:refreshIntervalDefaults

The time filter’s default refresh interval.

{ "display": "Off", "pause": false, "value": 0 }

dashboard:defaultDarkTheme

Set this property to true to make new dashboards use the dark theme by default.

false

filters:pinnedByDefault

Set this property to true to make filters have a global state by default.

false

filterEditor:suggestValues

Set this property to true to have the filter editor suggest values for fields, instead of providing only a text input. This may result in heavy queries to Elasticsearch.

false

notifications:banner

You can specify a custom banner to display temporary notices to all users. This field supports Markdown.

notifications:lifetime:banner

Specifies the duration in milliseconds for banner notification displays. The default value is 3000000. Set this field to Infinity to switch off banner notifications.

3000000

notifications:lifetime:error

Specifies the duration in milliseconds for error notification displays. The default value is 300000. Set this field to Infinity to switch off error notifications.

300000

notifications:lifetime:warning

Specifies the duration in milliseconds for warning notification displays. The default value is 10000. Set this field to Infinity to switch off warning notifications.

10000

notifications:lifetime:info

Specifies the duration in milliseconds for information notification displays. The default value is 5000. Set this field to Infinity to switch off information notifications.

5000

metrics:max_buckets

The maximum numbers of buckets that cannot be exceeded. For example, this can arise when the user selects a short interval like (for example 1s) for a long time period (for example 1 year).

2000

state:storeInSessionStorage

[experimental] Siren Investigate tracks UI state in the URL, which can lead to problems when there is a lot of information there and the URL gets very long. Enabling this will store parts of the state in your browser session instead, to keep the URL shorter.

true

indexPattern:placeholder

The placeholder for the field "Index name or pattern" in the "Settings > Indices" tab.

logstash-*

context:defaultSize

The number of surrounding entries to show in the context view.

5

context:step

The step size to increment or decrement the context size by.

5

context:tieBreakerFields

A comma-separated list of fields to use for tie breaking between documents that have the same timestamp value. From this list the first field that is present and sortable in the current index pattern is used.

_doc

timelion:showTutorial

Set this property to true to show the Timelion tutorial to users when they first open Timelion.

false

timelion:es.timefield

Default field containing a timestamp when using the .es() query.

@timestamp

timelion:es.default_index

Default index when using the .es() query.

_all

timelion:target_buckets

Used for calculating automatic intervals in visualizations, this is the number of buckets to try to represent.

200

timelion:max_buckets

Used for calculating automatic intervals in visualizations, this is the maximum number of buckets to represent.

2000

timelion:default_columns

The default number of columns to use on a Timelion sheet.

2

timelion:default_rows

The default number of rows to use on a Timelion sheet.

2

timelion:graphite.url

[experimental] Used with graphite queries, this it the URL of your host

https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite

timelion:quandl.key

[experimental] Used with quandl queries, this is your API key from www.quandl.com

someKeyHere



Table 15. Siren Investigate settings

Name

Description

Example

siren:timePrecision

Set to generate time filters with certain precision. Possible values are: y, M, w, d, h, m, s, ms.

S

siren:joinTaskTimeout

Default timeout for join task in milliseconds. Join tasks will return the results gathered at that point when the timeout expires. Set to 0 to disable the global timeout. Can be overwritten per relation in each relation's advanced options in the relational panel.3.9.2. Join task timeout

0

siren:panel_vertical_size

Set to change the default vertical panel size.

3

siren:vertical_grid_resolution

Set to change vertical grid resolution.

100

siren:enableAllRelBtnCounts

Enable counts on all relational buttons.

true

siren:defaultDashboardld

The dashboard that is displayed when clicking the Dashboard tab for the first time.

null

siren:excludedIndices

Indices to exclude.

.kibi*,.siren*,.searchguard,.security,.monitoring*,watcher_alarms-*

siren:graphUseWebGl

Set to false to switch off WebGL rendering.

true

siren:graphStatesLimit

Set how many undo/redo steps you want to maintain in memory

10

siren:graphExpansionLimit

Limit the number of elements to retrieve during the graph expansion.

500

siren:graphRelationFetchLimit

Limit the number of relations to retrieve after the graph expansion.

2500

siren:graphMaxConcurrentCalls

Limit the number of concurrent calls done by the Graph Browser.

15

siren:countFetchingStrategyDashboards

Strategy used to fetch the counts for dashboards.

{ "name": "default", "batchSize": 2, "retryOnError": 1, "parallelRequests": 1 }

siren:countFetchingStrategyRelationalFilters

Strategy used to fetch the counts for relational filters.

{ "name": "default", "batchSize": 2, "retryOnError": 1, "parallelRequests": 1 }

siren:showVisualizationIndexPatternLinks

Show links to connect visualizations to index patterns as well as saved searches.

false

siren:showIntroVideos

Enable introductory videos.

true

siren:elasticsearch:searchErrorTrace

Return stack_trace in search or msearch error responses if true.

true

siren:autoRelations:shardTimeout

Milliseconds reserved for computing a single Fingerprints/Relations Wizard request. Requests will return the results gathered at that point when the timeout expires, possibly leading to suboptimal overall results. It does not apply to virtual indices.

5000