Skip to main content
Solved

Issue: Dashboard Query Returns No Results When Using Equality Filter on Derived Field

  • January 13, 2026
  • 4 replies
  • 59 views
dishank_08
Forum|alt.badge.img

Hi Team,

While running a Dashboard query using “Run in Search”, the query returns No results, even though the same query shows results within the dashboard visualization. The issue specifically occurs when applying an equality filter (=) on a derived field created using an if() expression.
 

metadata.product_event_type = "test" 

$inference = if(
    security_result.summary = "Client Authentication Bypass", "ABP",
    if(security_result.summary = "SSH Agent Forwarding Requested", "AFR")
)

$inference = "ABP"

match:
    principal.ip, target.ip, $inference

 

  • When filtering with:

    $inference = "ABP"  → No results are returned.

  • However, removing the equality filter entirely returns results

  • Using a negation filter:

    $inference != "ABP"  → Also returns results

  • The issue is reproducible across multiple dashboard queries using similar derived-field logic.

  • The problem appears to be specific to equality (=) filtering on fields derived via if() expressions.

  • Dashboard widgets show results, but “Run in Search” does not.
     

Questions 

  • Is this a known issue or limitation with equality filtering on derived fields?

  • Is there a recommended workaround or alternative syntax to reliably filter on derived values?

  • Are there differences in how dashboard queries vs. “Run in Search” evaluate derived fields?

Best answer by PanosMtln

Hello,

 

I noticed that both the following filters do not work
$inference = "ABP"
$inference != "ABP"

the first one does not return results and the second one does not exclude “ABP” as it should.
The approach that worked for me is the following

metadata.product_event_type = "test"


$inference = if(

    security_result.summary = "Client Authentication Bypass", "ABP",

    if(security_result.summary = "SSH Agent Forwarding Requested", "AFR")

)

security_result.summary = "Client Authentication Bypass"


match:

    principal.ip, target.ip, $inference

$inference variable is a derived value. I think Chronicle’s search engine does not properly apply filters on such on-the-fly variables, resulting in unexpected behavior

4 replies

PanosMtln
Forum|alt.badge.img+4
  • PanosMtlnBronze 5
  • Bronze 5
  • Answer
  • January 14, 2026

Hello,

 

I noticed that both the following filters do not work
$inference = "ABP"
$inference != "ABP"

the first one does not return results and the second one does not exclude “ABP” as it should.
The approach that worked for me is the following

metadata.product_event_type = "test"


$inference = if(

    security_result.summary = "Client Authentication Bypass", "ABP",

    if(security_result.summary = "SSH Agent Forwarding Requested", "AFR")

)

security_result.summary = "Client Authentication Bypass"


match:

    principal.ip, target.ip, $inference

$inference variable is a derived value. I think Chronicle’s search engine does not properly apply filters on such on-the-fly variables, resulting in unexpected behavior

dishank_08
Forum|alt.badge.img
  • dishank_08
  • Author
  • New Member
  • January 16, 2026

Thanks ​@PanosMtln.

This is very strange. The derived value filters are working on Native Dashboard Queries. It’s just not working on while trying to do “Run in Search” the same Dashboard query which is not letting someone know about the raw logs behind the query results.


 

    chrisd2
    Forum|alt.badge.img+9
    • chrisd2Bronze 5
    • Bronze 5
    • January 23, 2026

    Hello,

     

    I think I encountered a similar behavior when trying to filter on a re.capture’d variable. I did not have any issue filtering on on-the-fly variables yet.

    Here’s the link of my post regarding the issue : 


    What is funny tho is that filtering with “equals STRING” does not work by filtering with “equals REGEX” seems to be working...

    chrisd2
    Forum|alt.badge.img+9
    • chrisd2Bronze 5
    • Bronze 5
    • January 23, 2026

    Hello,

     

    I think I identified the cause of the issue. When trying tu run the Query in Search, did you check your Casse Sensitivity setting ?

    I believe it must be set to “On” for your query to work as expected (IDK why), could you try Case Sens. Off vs. On and check the results ?

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.