There is one “logical mistake” in Dashboards. It is brought by the fact that you are excluding “Low Priority Tags” and “No tags found” (let me call it “invalid tags”) from some of visualizations, but not all of visualisations.
I.e. if I look to Malware Families dashboard, “invalid tags” are “Excluded” out from Malware Cloud visualization, but not from Count of Unique IPs (as it is simply count of documents with unique IPs, not documents with unique IPs and real Malware Families). As a result, when you look to dashboard you get wrong impression that Tags from Cloud can be found on presented number of IP addresses. It looks like you have much more DNS events and IP addresses with meaningful information than it actually is.
I think we shall put Filter on dashboard instead to filter out “invalid tags”.
There is one “logical mistake” in Dashboards. It is brought by the fact that you are excluding “Low Priority Tags” and “No tags found” (let me call it “invalid tags”) from some of visualizations, but not all of visualisations.
I.e. if I look to Malware Families dashboard, “invalid tags” are “Excluded” out from Malware Cloud visualization, but not from Count of Unique IPs (as it is simply count of documents with unique IPs, not documents with unique IPs and real Malware Families). As a result, when you look to dashboard you get wrong impression that Tags from Cloud can be found on presented number of IP addresses. It looks like you have much more DNS events and IP addresses with meaningful information than it actually is.
I think we shall put Filter on dashboard instead to filter out “invalid tags”.