Siren Platform User Guide

Working with filters

With your visualizations in place, you can now use them to filter the data. There are several ways to do this:

  • Enter a search term in the Filters field at the top of the visualization.

  • Interact directly with the visualization. For example, click a chart segment - this will apply a filter based on the value selected.

  • Click the Add a filter + link.

When you create a filter, the filter conditions display in an oval under the search text entry box:

filter sample

Moving the mouse pointer over the filter oval displays the following icons:

Filter all buttons.
Enable Filter (fa-check-square-o.png)
Click this icon to switch off the filter without removing it. You can enable the filter again by reselecting the icon. Inactive filters are displayed with a striped background.
Pin Filter (fa-thumb-tack-mod.png)
Click this icon to pin a filter. Pinned filters persist across Siren Investigate tabs. You can pin filters from the Visualize tab; when you click the Discover or Dashboard tabs, those filters remain in place.

Note

If you have a pinned filter and you are not seeing any query results, check that your current tab’s index pattern is one that the filter applies to. For example, a filter name:giovanni will results in 0 results if pinned and therefore 'dragged along' to a dashboard whose underlying index does not have a name field, let alone a giovanni value. For this reason, it is good practice in Siren Investigate to use Dashboard Groups to group together dashboards that are based on the same underlying index. In this case, the user can safely pin and 'drag along' a filter across dashboards in the same group.

Toggle Filter (fa-search-minus.png)
Click this icon to toggle a filter. By default, filters are inclusion filters, and are displayed in green. Only elements that match the filter are displayed. To change this to an exclusion filter, displaying only elements that do not match, toggle the filter. Exclusion filters are displayed in red.
Remove Filter (fa-trash.png)
Click this icon to remove a filter.
Custom Filter (fa-pencil-square-o.png)
Click this icon to display a text field where you can customize the JSON representation of the filter and specify an alias to use for the filter name, for example, to filter the data to just the companies based in London:
London Companies Filter Example.

Adding the London Companies label to the filter displays that label on the filter bar:

London Companies Filter Bar

Omitting the label displays the filter query in the filter bar:

London Companies Filter Bar
Visualizations listen to filters

Most visualizations in Siren Investigate are connected to a search. The following screenshot shows two two visualizations (a heatmap and an analytic table), both connected to the company search.

dashboard_twoviz.png

When a visualization is backed by a search, it ‘listens to’ and reacts to filters or textual queries which are currently on the dashboard.

For example, in the following screenshot, the same visualizations update when a filter is added (in this case, countrycode=USA). Filters can be created either by clicking on the visualizations themselves, or manually with the Add a filter + link.

dashboard_twoviz_filtered.png

There is a limitation with this simple filtering model, however. All the visualizations will try to apply the filters to their underlying searches, whether or not the filter is applicable.

For example, the countrycode=USA filter will be applied to all the visualizations, even to one that is backed by the Investment search, which does not have a countrycode field. This will cause a 'No results found' on that visualization.

dashboard_twovis_badfilter.png

For this reason, Investigate dashboards typically group visualizations based on the same search (or searches that have identical/compatible field names), so that filters work coherently across them.

Siren 10.3 overcomes this limitation, however, allowing relationally connected visualizations with the use of the new Dashboard 360 feature, which is described in the Dashboard Data Model section.

JSON filter representation

You can use a JSON filter representation to implement predicate logic, with should for OR, must for AND, and must_not for NOT:

+ .OR Example

{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ]
  }
}

+ .AND Example

{
  "bool": {
    "must": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.city_name.raw": "New York"
        }
      }
    ]
  }
}

+ .NOT Example

{
  "bool": {
    "must_not": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      }
    ]
  }
}

Click Done to update the filter with your changes.

Note

See Query DSL documentation for more information on the possibilities.

To apply any of the filter actions to all the filters currently in place, click ActionsGlobal Filter Actions and select an action.