Siren currently has the following known issues and limitations.

  • Nodes from remote Elasticsearch clusters cannot be added to the graph.

  • Queries with 'inner_hits' are not working with _siren end point.

  • Use of the colon ':' in cluster and index names is deprecated.

  • Wildcards on virtual index names are not supported by any API; a wildcard search will silently ignore virtual indices.

  • Cross-remote-cluster wildcard pattern searches are not supported.

  • Comma-separated lists of index patterns which target virtual indices are not supported.

  • Adding an EID from a virtual index (JDBC source) to the Graph Browser will not work using drag and drop. EIDs can still be added using the Manual Entity Identifier option in the Add menu.

Nested objects

Siren Investigate cannot perform aggregations across fields that contain nested objects. It also cannot search on nested objects when Lucene Query Syntax is used in the query bar.

Using include_in_parent or copy_to as a workaround is not supported and may stop functioning in future releases.

Visualizations over JDBC tables

When you create visualizations over JDBC tables, you cannot add more than one sub-bucket. If you try to add another sub-bucket, the following error message is displayed:

"Visualize: Only one level of nesting is currently supported."


Use a datasource reflection job to ingest the table in a concrete index. The aggregation can then run successfully on the index.