Only vs Include: buggy behavior creating the filter?

[Carlos-mb]

Hello

I have seen that when you clic on any value and select ONLY, it applies a filter just adding the text of the value to the filter, what is almost useless in many cases. But if you click on INCLUDE, it adds the field and the value to the filter, what is much more accurate

For example if, in Detections, you want to show all disabled rules you can reproduce this behavior.

If you click on the text "false" in the column "Enable" and then select ONLY, it add the text "false" to the filter and keep showing enabled rules because it shows all rules that includes the text "false", but if you click on same "false" and click on INCLUDE it adds the filter so_detection.isEnabled:"false" what is much more accurate and shows only the disabled rules.

Is it the expected behavior?

Regards,
Carlos.

[InfosecGoon]

Yes, this is the expected bahavior. ONLY does a string search for the field value alone across all of your logs, while INCLUDE adds the field name and value to the current query.

[Carlos-mb]

Hi @InfosecGoon

The documentation says:

Clicking the Include option will add the selected value to your existing search to only show search results that include that value.

Clicking the Only option will start a new search for the selected value and retain any existing groupby terms.

According to my understanding (can be wrong, because I'm not English speaker), it explain the behavior of filtering process in the same way but the real behavior is different.

The option INCLUDE filter the value related to the field and the option ONLY filter de text of the value between all the fields.

If this is the expected behavior then there is a mismatch with documentation.

And, as I said, make the INCLUE option useless in cases like boolean fields, poorly usable with fields like IPs and could make sense in fields like Community ID or hashes that area special values.

Regards
Carlos

[dougburks]

The INCLUDE and ONLY options are working as designed.

How about if we update the documentation as follows?

Include
Clicking the Include option will add the selected field:value pair to your existing search with an AND to only show search results that include that value in that field.

Exclude
Clicking the Exclude option will add the selected field:value pair to your existing search with an AND NOT to only show search results that do not include that value in that field.

Only
Clicking the Only option will start a new search for the selected value in any field. It will remove any existing filters but retain any existing groupby terms.

[Carlos-mb]

I'm really surprised how SO team listen to the users.
Thank you very much.

[dougburks]

I've committed this change:
Security-Onion-Solutions/securityonion-docs@2e08337

It will be included in the upcoming 2.4.100 release.

[Carlos-mb]

I've committed this change: Security-Onion-Solutions/securityonion-docs@2e08337

It will be included in the upcoming 2.4.100 release.

Thank you