Good morning !
I am using Opensearch to create a dashboard to visualize all the information from my TheHive (incident response tool).
I retrieve this data from logstash which sends it to Opensearch.
I have a small problem with a field, let me explain.
I have a field called “code”, it can include different values of the type: “U1”, “U12”, “U45”, etc.
This field is an array that can contain one or more values. That is, it can be equal to:
"code": [
"U1"]
or
"code": [
"U12",
"U34"]
or
"code": [
"UXX",
"UXX",
"UXX"]
etc.
So no problem, I retrieve this data on OpenSearch Dashboard and I display with a Pie the percentage of UXX for each.
However, I would like to create two different Pies. A Pie that corresponds to organization A and another to organization B. The idea is to select the “UXX” according to the corresponding organizations.
So, on each Pie, I just have to select the data under the “code” field, and add a filter to remove for example “U12” and “U78” which do not belong to organization A.
However, I have a problem when there are multiple values in the “code” array.
Indeed, let’s imagine that I have the code array with the values "U33" and U"12", knowing that U33 belongs to organization A and the other to organization B, if I create the Pie for the organization A, I would just have to put an “is not” filter for the “U12” value of the “code” field. But this does not work, because as soon as one of the values entered in the filter belongs to the table, ALL the values of the table are displayed on the Pie.
Do you have a solution ?