Sort in a Data Table

Elastic Stack Kibana
1

Lets say I use count as the metric,

Then I use said count as the sort metric in a data table this sort metric is used for all of the buckets/sub-buckets.

Should I be able to reasonably expect that the lines returned would be sorted from high to low since I am also selecting descending order?

I am not seeing it sorted in that manor I then click on the count heading to resort and it eventually gets to that but shouldn't it do that from the beginning?

Here is the request from Kibana:

{
"query": {
"filtered": {
"query": {
"query_string": {
"analyze_wildcard": true,
"query": "Action: deny AND FirewallDomain: abcpf* AND Type: TRAFFIC"
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1472082814725,
"lte": 1472169214726,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"5": {
"date_range": {
"field": "@timestamp",
"ranges": [
{
"from": "now-23h-59m",
"to": "now"
}
]
},
"aggs": {
"3": {
"terms": {
"field": "SourceAddress",
"size": 0,
"order": {
"_count": "desc"
}
},
"aggs": {
"4": {
"terms": {
"field": "SourcePort",
"size": 0,
"order": {
"_count": "desc"
}
},
"aggs": {
"6": {
"terms": {
"field": "DestinationAddress",
"size": 0,
"order": {
"_count": "desc"
}
},
"aggs": {
"7": {
"terms": {
"field": "DestinationPort",
"size": 0,
"order": {
"_count": "desc"
}
},
"aggs": {
"8": {
"terms": {
"field": "IPProtocol",
"size": 0,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}

2

According to the posted request, the documents should be ordered by their doc _count. If you inspect the response you should see this is the case. If you are seeing something different, please post the response and the generated table.

Here is the supporting documentation for count in term aggregations: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html#search-aggregations-bucket-terms-aggregation-order