Skip to main content
Question

Dashboard filter is not applicable when referencing a data table in widget query

  • February 13, 2026
  • 2 replies
  • 0 views
fazilfa
Forum|alt.badge.img+1

Hi Team,

In one of my widget query i was referencing a data table and i can see the required output.

This is my  dashboard widget query,

metadata.log_type = /Fortinet/ nocase
 
principal.ip != ""
target.ip != ""
 
not principal.ip in %Private_IP_Ranges.cidr 
 
match:  security_result.action,principal.ip,principal.port,principal.ip_geo_artifact.location.country_or_region,target.ip,target.port,target.ip_geo_artifact.location.country_or_region,target.application,network.sent_bytes,network.received_bytes
 
outcome:
  $event_time = timestamp.get_timestamp(max(metadata.event_timestamp.seconds), "%F %T", "GMT")
 
limit:
    10000

after saving the query when i try to apply global filter i am unable to select my widget (it is greyed out)

 



But when i dont reference a data table in the query i am able to add filter.

Just wondering if it is  a limitation that dashboards has ?
 

2 replies

jstoner
Staff
Forum|alt.badge.img+23
  • jstoner
  • Staff
  • February 13, 2026

Thanks for sharing this. I was able to replicate what you raised here. At the moment, it appears that you would need to add those netblocks into the query as a workaround. I have reached out to the development team to see what the status of this is. 

    fazilfa
    Forum|alt.badge.img+1
    • fazilfaBronze 1
    • Author
    • Bronze 1
    • February 13, 2026

    Hi ​@jstoner 
    Thanks for the reply.

    Also i have another query around the dashboard filter.

    If i try to use the global context for threat intel comparison then also the dashboard filter is not getting  applied.

    Here is the query,
     

    $ip.metadata.log_type != ""

    $ip.principal.ip != ""

    $ip.target.ip != ""

    $ip.metadata.event_type = "NETWORK_CONNECTION"

     

    $ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"

    ($ioc.graph.metadata.vendor_name != "" or

    $ioc.graph.metadata.product_name != "")

    $ioc.graph.entity.artifact.ip = $dst_ip

     

    $ip.principal.ip = $src_ip

    $ip.target.ip = $dst_ip

     

    $ip.security_result.action = $action

     

    match:

      $src_ip,$dst_ip,$action

     

    outcome:

     

      $event_time = timestamp.get_timestamp(max($ip.metadata.event_timestamp.seconds), "%F %T", "GMT")

      $total_count = count($ip.metadata.event_timestamp.seconds)

      $total_byte = math.round(sum($ip.network.received_bytes + $ip.network.sent_bytes)/1048576, 2)

      $source_type = array_distinct($ip.metadata.log_type)

      $src_port = array_distinct($ip.principal.port)

      $dest_port = array_distinct($ip.target.port)

      $host = array_distinct($ip.principal.hostname)

      $intel_status = if(count_distinct($ioc.graph.entity.artifact.ip) > 0, "MALICIOUS", "NONE")

      $intel_vendor = array_distinct($ioc.graph.metadata.vendor_name)

      $threat_name = array_distinct($ioc.graph.metadata.threat.threat_feed_name)

     

    condition:

      $total_count > 0

     

     order:

       $total_count desc

     

    limit:

        10000


     

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.