Siren Platform User Guide

Filtering by field

You can filter the search results to display only those documents that contain a particular value in a field. You can also create negative filters that exclude documents that contain the specified field value.

You add field filters from the Fields list, the Documents table, or by manually adding a filter. In addition to creating positive and negative filters, the Documents table enables you to filter on whether or not a field is present. The applied filters are shown below the Query bar. Negative filters are shown in red.

To add a filter from the Fields list:

  1. Click the name of the field you want to filter on. This displays the top five values for that field.

    filter field
  2. To add a positive filter, click Positive Filter (fa-search-plus.png). This includes only those documents that contain that value in the field.
  3. To add a negative filter, click Negative Filter (fa-search-minus.png). This excludes documents that contain that value in the field.

To add a filter from the Documents table:

  1. Expand a document in the Documents table by clicking Expand (fa-caret-right.png) to the left of the document’s table entry.

    Expanded Document
  2. To add a positive filter, click Positive Filter (fa-search-plus.png) to the right of the field name. This includes only those documents that contain that value in the field.
  3. To add a negative filter, click Negative Filter (fa-search-minus.png) to the right of the field name. This excludes documents that contain that value in the field.
  4. To filter on whether or not documents contain the field, click Exists (fa-asterisk.png) to the right of the field name. This includes only those documents that contain the field.

To manually add a filter:

  1. Click Add Filter. A popup will be displayed for you to create the filter.

    Add filter.
  2. Choose a field to filter by. This list of fields will include fields from the index pattern you are currently querying against.

    Add filter field.
  3. Choose an operation for your filter.

    Add filter operator.

    The following operators can be selected:

    is

    Filter where the value for the field matches the given value.

    is not

    Filter where the value for the field does not match the given value.

    is one of

    Filter where the value for the field matches one of the specified values.

    is not one of

    Filter where the value for the field does not match any of the specified values.

    is between

    Filter where the value for the field is in the given range.

    is not between

    Filter where the value for the field is not in the given range.

    exists

    Filter where any value is present for the field.

    does not exist

    Filter where no value is present for the field.

  4. Choose the value(s) for your filter.

    add filter value
  5. (Optional) Specify a label for the filter. If you specify a label, it will be displayed below the Query bar instead of the filter definition.
  6. Click Save. The filter will be applied to your search and be displayed below the Query bar.

Note

To make the filter editor more user-friendly, you can enable the filterEditor:suggestValues advanced setting. Enabling this will cause the editor to suggest values from your indices if you are filtering against an aggregatable field. However, this is not recommended for extremely large data sets, as it can result in long queries.

Managing filters

To modify a filter, move the moue pointer over it and click one of the action buttons.

Filter action buttons.
fa-check-square-o.png Enable Filter
Switch off the filter without removing it. Click again to switch the filter on again. Diagonal stripes indicate that a filter is switched off.
fa-thumb-tack-mod.png Pin Filter
Pin the filter. Pinned filters persist when you switch contexts in Siren Investigate. For example, you can pin a filter in Discover and it remains in place when you switch to Visualize. Note that a filter is based on a particular index field—if the indices being searched do not contain the field in a pinned filter, it has no effect.
fa-search-minus.png Invert Filter
Switch from a positive filter to a negative filter and vice-versa.
fa-trash.png Remove Filter
Remove the filter.
fa-pencil-square-o.png Edit Filter
Edit the filter definition. Enables you to manually update the filter and specify a label for the filter.

To apply a filter action to all the applied filters, click Actions and select the action.

Editing a filter

You can edit a filter by changing the field, operator, or value associated with the filter (see the Add Filter section), or by directly modifying the filter query that is performed to filter your search results. This enables you to create more complex filters that are based on multiple fields.

  1. To edit the filter query, first click Edit for the filter, then click Edit Query DSL.

    Edit filter query.
  2. You can then edit the query for the filter.

    Edit filter query JSON.

For example, you could use a bool query to create a filter for the sample log data that displays the hits that originated from Canada or China that resulted in a 404 error:

{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ],
    "must": [
      {
        "term": {
          "response": "404"
        }
      }
    ]
  }
}