In the OOTB dashboard, the investigation query does not contain quotes for the new mete key (ex. direction) values when you click on investigate using the Traffic Flow Direction chart that is available in the Overview Dashboard.
For example: query sent to core: direction=outbound && (direction exists). This will throw out error in UI:
The expected query is: direction='outbound' && (direction exists). It loads the results.
This is a design issue of the way Charts and Dashlets are implemented as part of OOTB. The new meta which is added in the core appears in the schema only after 24 hours. If schema definition is not available in SA then it treats as "Undefined" meta and will not include the quote in a query.
Restart the Reporting Engine or,
Remove and Re-add the data source to the Reporting Engine or,
Wait 24 hours to allow the schema cache to update.
Restarting the jettysrv service on the Security Analytics server is required to reflect the change in the dashlet query for the hyperlink used in the investigation query that was created during dashlet creation. When the Reporting Engine schema cache is updated, the dashlet is not.