Incorrect Order by Descending in Kibana visualization

anhlqn · May 2, 2016, 5:23pm

I have created a visualization to show the number of netflows per IPV4_SRC_ADDR over time. It is supposed to sort the IP in the legend by Count in descending order. However as you look at the graph below, the IP with pink column occupies most of the flows, but it is at the 13th of the legend while all other IPs with very low flows sit on the top of the legend.

My first thought is that Kibana sorting bases on values in the last column or the overall values in the visualization, but it does not seem to be true.

I've been having issues with those types of graphs where Date Histogram is combined with Bars or Lines, and I am not sure how Kibana actually sorts values.

Bargs · May 2, 2016, 11:01pm

Hi @anhlqn, as far as I know the Order By setting is not intended to affect the Kibana UI. It only affects the Elasticsearch aggregation, specifically it maps directly to the Order setting in the terms agg.

anhlqn · May 5, 2016, 2:00am

Thanks, is there any plan/way to make it effective in Kibana UI too? It's pretty confusing to see the graph like that.

Bargs · May 5, 2016, 2:46pm

It looks like it's still an open discussion on this ticket https://github.com/elastic/kibana/issues/3118

Your input would definitely be appreciated on the ticket.

anhlqn · May 5, 2016, 3:39pm

I've posted on the ticket. You said that Order By is not intended to affect Kibana UI, but why does this issue only occur when I use Date Histogram + Split bars? Order By works fine for a simple pie chart or bar chart.

Bargs · May 5, 2016, 4:09pm

Unfortunately I'm not terribly familiar with the vislib code, I'd have to dig in to see what's going on exactly. I know @Khalah_Jones_Golden is a bit more familiar with it, he might be able to say whether this is an actual bug or not.

spalger · May 5, 2016, 11:13pm

As you pointed out the ordering is only off when you combine the date histogram and the split bars. This is because the legend shows values in the order that they appear from left to right, meaning that all of the IP's from the small bars on the left of that chart are going to be at the top of the legend, followed by the IP addresses in the second day, and so on.

The reality is simply that both the date histogram and the terms agg have an order (even though the order of time is implicit) and the display of values in the legend reflects the order defined by the nested aggregations.

To get the view that you are looking for I suggest you try a data table, which allows you to sort by arbitrary columns. You could use place this next to your histogram on a dashboard and use them together to drill down and get the experience you are looking for. Hope that helps!

anhlqn · May 6, 2016, 3:47am

Thanks, I'll try

exorcista · May 20, 2016, 3:26pm

Hi all.
I am facing the same issue, it is correct that order is working with the pie chart but it is not for histogram..

seth.yes · July 18, 2016, 9:41pm

I'm seeing the same issue -- latest supported version of E, L & K - however in a bar graph, even without split bars, a split chart will not order by terms, nor by any metric, seems almost randomly placed - creating a new visualization does not resolve the issue.