Filtering data in a dashboard

You can filter the data by the contents of one or more fields in the records. You can create filters in the following ways:

After you create a filter, the filter conditions display in an interactive filter button below the Search field.

Interactive filter button

If you want to hide the filter conditions and display a text instead, edit the filter and enter a label.

A label on a filter button

You can filter data to display only the records that contain a particular value in a field. You can also create negative filters that exclude records that contain the specified field value.

Adding a filter from a visualization

You can add filters by interacting directly with visualizations.

For example, if your dashboard contains a pie chart, you can click a segment. This applies a filter based on the value that you select.

You can combine filters by creating an OR filter. Press and hold the CTRL key and click on multiple segments of a chart or on multiple filter buttons. This can be done across different visualizations in a dashboard.

Combining filters

Advanced: How visualizations and filters interact with entity tables

Most visualizations in Siren Investigate are connected to an entity table. The following screenshot shows two visualizations (a heatmap and an analytic table), which are both connected to the company entity table.

image

When a visualization is based on an entity table, it reacts to filters or textual queries that are made in the dashboard.

For example, in the following screenshot, the same visualizations update when a filter is added (in this case, countrycode=USA).

Filters can be created either by clicking on the visualizations themselves, or manually.

image

There is a limitation with this simple filtering model, however. All of the visualizations try to apply the filters to their underlying entity tables, whether or not the filter is applicable.

For example, the countrycode=USA filter is applied to all of the visualizations in the dashboard, even to one that is based on the Investment entity table, which does not have a countrycode field. This will cause a message to display on that visualization, saying 'No results found'.

image

For this reason, it is recommended that dashboards generally contain visualizations that are based on the same entity table (or entity tables that have identical/compatible field names), so that filters work coherently across all visualizations.

The Dashboard 360 feature overcomes this limitation by allowing relationally-connected visualizations. For more information, see Creating 360 dashboards.

Adding filters by record in a Record Table

If there is a record table visualization in your dashboard, hover your cursor over a record to display the Filter for value and Filter out value buttons (the positive and negative magnifying glass icons).

For example, in a dashboard that contains a table of Companies by Country, you can filter by the country code IRL for Ireland by clicking Filter for value. Or, to exclude Irish companies from your analysis, click Filter out value.

The Filter for value icon and the Filter out value icon

Another way to filter by records is by selecting the checkbox in the top-left corner of the table.

Filter checkbox on a record table

This displays check boxes along each row of the table. Select one or more rows (records) and click Create filter.

Create filter button on a record table

A new filter appears at the top of the dashboard, which is based on the entities that you selected.

Filter button of a record table filter

For more information, see the Record table visualization.

Adding a filter from the Graph Browser

When you are analyzing data in the Graph Browser, you can apply a filter from the available nodes.

Filtering from the Graph Browser

This can be useful if you find some interesting nodes that you want to investigate further in a dashboard.

  1. In the Graph Browser, select the nodes that are of interest and click Filter.

  2. Hover over the interactive filter button above the graph and click the pin icon The pin filter icon. This updates all dashboards by filtering them to the nodes you selected.

  3. Navigate to the filtered dashboards to look more closely at the data.

For more information, see the Graph Browser.

Adding a filter from the record view

If your dashboard contains a Record Table visualization, you can access a range of filters by clicking the View full record button to the left of the record’s row.

The View Full Record icon

In the record view, you can select one of the following filters:

Available filters in the record view

  • Filter for value: Includes only those records that contain that value in the field.

  • Filter out value: Excludes records that contain that value in the field.

  • Toggle column in table: Allows you to hide or show a field as a column in the table.

  • Filter for field present: Includes only those records that contain the field.

You can filter by a single record by clicking Filter to dashboard.

Filter to dashboard button

This allows you to select a dashboard in which you want to filter by the selected record.

A Filter to dashboard button is also available in the search results of the Global Search interface.

Filter dashboard to dashboard

You have the option to apply the filters from one dashboard to another dashboard within the same entity table.

The button to do this appears to the right of your dashboard name and count.

Upon clicking this button, you are presented with a modal where you can select the target dashboard you wish to apply your filters to.

You have the option to reset the target dashboard to its saved state before filters from current dashboard are applied.

Adding a filter manually

  1. In a dashboard, click Filters and Add a filter.

    The Add a filter button in a dashboard

  2. In the Add filter dialog box, select a field to filter by.

  3. Select an operator from the dropdown menu. The following operators can be selected:

    The following filters will match a record if any entry of a multi-value field satisfies the filtering criteria.
    All filterable field types

    is

    Filter where the value for the field matches the given value.

    is not

    Filter where the value for the field does not match the given value.

    is one of

    Filter where the value for the field matches one of the specified values.

    is not one of

    Filter where the value for the field does not match any of the specified values.

    exists

    Filter where any value is present for the field.

    does not exist

    Filter where no value is present for the field.

    Numeric, date and IP field types

    is between

    Filter where the value for the field is in the given range.

    is not between

    Filter where the value for the field is not in the given range.

    > greater than

    Filter where the value for the field is larger than the given value.

    < less than

    Filter where the value for the field is smaller than the given value.

    ≥ greater than or equal

    Filter where the value for the field is larger than or equal to the given value.

    ≤ less than or equal

    Filter where the value for the field is smaller than or equal to the given value.

    Range field types

    intersects

    Filter where the range field intersects the given range.

    does not intersect

    Filter where the range field does not intersect the given range.

    within

    Filter where the range field is within the given range.

    is not within

    Filter where the range field is not within the given range.

    contains range

    Filter where the range field contains the given range.

    does not contain range

    Filter where the range field does not contain the given range.

    contains value

    Filter where the given value is within the range field.

    does not contain value

    Filter where the given value is not within the range field.

    contains one of

    Filter where at least one of the specified values is within the range field.

    does not contain one of

    Filter where none of the specified values is within the range field.

  4. Specify the value(s) for the filter.

  5. (Optional) Specify a label for the filter. If you do not specify a label, the filter definition is displayed on the filter.

  6. Click Save. The filter is applied to the data and it appears below the Search field.

Advanced: You can make the filter editor more user-friendly by enabling the filterEditor:suggestValues advanced setting. This allows the editor to suggest values from the entity tables if you are filtering against an aggregatable field. However, this is not recommended for extremely large data sets, because it can impact system performance.

Setting a time filter

The time filter restricts any search results to a specific time period.

Before you begin

To set a time filter, an entity table must contain time-based events in its records.

You must select the field that the time filter is based on on the Info tab of the Data model app.

For example, in a dashboard about articles, you could set the time filter field as pdate, which contains the publication date of the article records.

Procedure

  1. From the Options menu, click the Time filter.

    Time filter button in the options menu

  2. Select one of the following tabs:

    • Quick: You can choose from one of the available quick filters, ranging from 'today' to the 'last 5 years'.

    • Relative: Specify a time range that is relative to the current time. Relative times can be in the past or in the future.

    • Absolute: Specify both the start and end times for the time filter.

  3. (Optional) Select the dashboards you want the filter to apply to. It is applied to the current dashboard by default.

You can view more quick options by hovering your cursor over the Time filter button.

Use the arrows to move forward or backward in time. Or else, use the magnifying glass icons to zoom in to half the time range or zoom out to triple the time range.

If you do not save the dashboard with the new time filter applied, it will return to its last saved state when you open a new session.

Auto-refreshing the search results

You can configure an auto-refresh interval to automatically refresh the page with the latest index data. This function periodically resubmits the search query.

When an auto-refresh interval is set, it is displayed to the left of the Time Filter in the Options menu. A pause or play button is also displayed, which allows you to pause the refresh and restart it as needed.

To set a refresh interval:

  1. Click the Time Filter.

  2. Click the Auto-refresh tab.

  3. Select an interval from the list.

Auto refresh intervals

Editing filters

To edit a filter, hover your cursor over it and click one of the action buttons.

Filter action buttons

image Enable Filter

Disable or enable the filter without removing it. Diagonal stripes indicate that a filter is disabled.

image Pin Filter

Pin the filter. Pinned filters persist when you switch contexts in Siren Investigate. For example, you can pin a filter in the Discover app and it remains in place when you switch to the Visualize app.

A filter is based on a particular index field. If the indices that are being searched do not contain the field in a pinned filter, it has no effect.

image Invert Filter

Switch from a positive filter to a negative filter and vice-versa.

image Remove Filter

Remove the filter.

image Edit Filter

Edit the filter definition. Allows you to manually update the filter and specify a label for it.

To apply any of the filter actions to all of the applied filters at once, click Actions to display the menu.

Editing a filter query

You can edit a filter by changing the field, operator, or value associated with the filter.

Or, you can directly modify the filter query that is performed to filter your search results. This allows you to create more complex filters that are based on multiple fields.

For more information, see Examples of the Elasticsearch Query DSL.