We've recently begun using ELK for report logs. Previously I have visualized our report usage using Tableau. Attempting to create a similar viz in Kibana, I ran across an interesting feature.
We use a viz that shows the top x usernames AND the reports that they have executed. In Kibana, I created this by adding username as the X-axis aggregation (Top 30, in this case), with reportname as the split bar sub-aggregation. The resulting chart shows the Top 30 usernames, but is not sorted in the order of their total executions. The first 28 are sorted by their executions because they all use report #1. The last two bars are users who never executed report #1, but they did execute report #2. (See attached screenshot).
Questions:
-
Is this a bug or a feature? But for the fact that some users hadn't executed the "Top 1" report, I wouldn't have run across this.
-
Any ideas on where in the documentation I can read about how this sorting works? It took me more time than I would have preferred to untie this mental knot.
-
Do I have any ability within Kibana to create the type of viz I'm used to? Where the reportname is just an attribute on each individual chart, rather than an aggregation? I understand that some things just work differently since we're running on elasticsearch, etc. And that brings other features that are advantageous. Just want to make sure I'm covering my bases.
I've uploaded both the Kibana example and the Tableau example, with arrows pointing to the two user bars that are sorted differently in Kibana. 
Thanks!
Scott