Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Legend order does not match with query result #154533

Open
angorayc opened this issue Apr 6, 2023 · 4 comments
Open

Legend order does not match with query result #154533

angorayc opened this issue Apr 6, 2023 · 4 comments
Assignees
@angorayc
Labels
Feature:Lens Charts Security Solution Lens Charts feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@angorayc
Copy link
Contributor

angorayc commented Apr 6, 2023

This is a question about the legend’s order. I have a bar chart break down by unique count of dns.question.name ranked in descending order (screenshot 1, 2), the result comes out as expected order: key apple.com with greatest value 55 , but the legend is not following the order, would like to know if there’s a way I can apply the same order to the legend?

Setup:
Screenshot 2023-04-06 at 11 14 07
Screenshot 2023-04-06 at 11 14 22

Request:

{
  "aggs": {
    "0": {
      "terms": {
        "field": "dns.question.registered_domain",
        "order": {
          "2": "desc"
        },
        "size": 10,
        "shard_size": 1000
      },
      "aggs": {
        "1": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "30m",
            "time_zone": "Europe/London",
            "min_doc_count": 1
          },
          "aggs": {
            "2": {
              "cardinality": {
                "field": "dns.question.name"
              }
            }
          }
        },
        "2": {
          "cardinality": {
            "field": "dns.question.name"
          }
        }
      }
    }
  },
  "size": 0,
  "fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    },
    {
      "field": "code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "dll.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "email.delivery_timestamp",
      "format": "date_time"
    },
    {
      "field": "email.origination_timestamp",
      "format": "date_time"
    },
    {
      "field": "event.created",
      "format": "date_time"
    },
    {
      "field": "event.end",
      "format": "date_time"
    },
    {
      "field": "event.ingested",
      "format": "date_time"
    },
    {
      "field": "event.start",
      "format": "date_time"
    },
    {
      "field": "file.accessed",
      "format": "date_time"
    },
    {
      "field": "file.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "file.created",
      "format": "date_time"
    },
    {
      "field": "file.ctime",
      "format": "date_time"
    },
    {
      "field": "file.elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "file.mtime",
      "format": "date_time"
    },
    {
      "field": "file.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "file.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.end",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.last_detected",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.original_event.created",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.original_event.end",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.original_event.ingested",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.original_event.start",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.original_time",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.rule.created_at",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.rule.updated_at",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.start",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.suppression.end",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.suppression.start",
      "format": "date_time"
    },
    {
      "field": "kibana.alert.threshold_result.from",
      "format": "date_time"
    },
    {
      "field": "package.installed",
      "format": "date_time"
    },
    {
      "field": "process.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "process.elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "process.end",
      "format": "date_time"
    },
    {
      "field": "process.entry_leader.parent.session_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.entry_leader.parent.start",
      "format": "date_time"
    },
    {
      "field": "process.entry_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.group_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.parent.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "process.parent.elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "process.parent.end",
      "format": "date_time"
    },
    {
      "field": "process.parent.group_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.parent.start",
      "format": "date_time"
    },
    {
      "field": "process.session_leader.parent.session_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.session_leader.parent.start",
      "format": "date_time"
    },
    {
      "field": "process.session_leader.start",
      "format": "date_time"
    },
    {
      "field": "process.start",
      "format": "date_time"
    },
    {
      "field": "signal.original_event.created",
      "format": "date_time"
    },
    {
      "field": "signal.original_event.end",
      "format": "date_time"
    },
    {
      "field": "signal.original_event.start",
      "format": "date_time"
    },
    {
      "field": "signal.original_time",
      "format": "date_time"
    },
    {
      "field": "signal.rule.created_at",
      "format": "date_time"
    },
    {
      "field": "signal.rule.updated_at",
      "format": "date_time"
    },
    {
      "field": "signal.threshold_result.from",
      "format": "date_time"
    },
    {
      "field": "system.audit.host.boottime",
      "format": "date_time"
    },
    {
      "field": "system.audit.package.installtime",
      "format": "date_time"
    },
    {
      "field": "system.audit.user.password.last_changed",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.accessed",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.created",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.ctime",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.mtime",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.file.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.first_seen",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.last_seen",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.modified_at",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.indicator.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "threat.enrichments.matched.occurred",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.accessed",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.code_signature.timestamp",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.created",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.ctime",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.elf.creation_date",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.mtime",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.file.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.first_seen",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.last_seen",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.modified_at",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "threat.indicator.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.client.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.client.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.server.x509.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.server.x509.not_before",
      "format": "date_time"
    },
    {
      "field": "x509.not_after",
      "format": "date_time"
    },
    {
      "field": "x509.not_before",
      "format": "date_time"
    }
  ],
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "_index": "auditbeat-*"
                }
              },
              {
                "match_phrase": {
                  "_index": "packetbeat-*"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2023-04-05T15:03:28.287Z",
              "lte": "2023-04-06T09:03:28.287Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

Result:

{
  "id": "Fk5XQlJhUzc2U2hPc3ZHMTJENldOSWceRVZUYmlYNG9Sam1PVjB1ZEdBQjhsZzoxNjk1NDk1",
  "rawResponse": {
    "took": 40,
    "timed_out": false,
    "_shards": {
      "total": 3,
      "successful": 3,
      "skipped": 1,
      "failed": 0
    },
    "hits": {
      "total": 119359,
      "max_score": null,
      "hits": []
    },
    "aggregations": {
      "0": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 2398,
        "buckets": [
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 13
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 24
                },
                {
                  "2": {
                    "value": 18
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 96
                },
                {
                  "2": {
                    "value": 7
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 19
                },
                {
                  "2": {
                    "value": 8
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 17
                },
                {
                  "2": {
                    "value": 5
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 14
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 97
                },
                {
                  "2": {
                    "value": 11
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 28
                },
                {
                  "2": {
                    "value": 13
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 50
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T21:00:00.000+01:00",
                  "key": 1680724800000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T21:30:00.000+01:00",
                  "key": 1680726600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T22:00:00.000+01:00",
                  "key": 1680728400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T22:30:00.000+01:00",
                  "key": 1680730200000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T23:00:00.000+01:00",
                  "key": 1680732000000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T23:30:00.000+01:00",
                  "key": 1680733800000,
                  "doc_count": 9
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T00:00:00.000+01:00",
                  "key": 1680735600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T00:30:00.000+01:00",
                  "key": 1680737400000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T01:00:00.000+01:00",
                  "key": 1680739200000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T01:30:00.000+01:00",
                  "key": 1680741000000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T02:00:00.000+01:00",
                  "key": 1680742800000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T02:30:00.000+01:00",
                  "key": 1680744600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T03:00:00.000+01:00",
                  "key": 1680746400000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T03:30:00.000+01:00",
                  "key": 1680748200000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T04:00:00.000+01:00",
                  "key": 1680750000000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T04:30:00.000+01:00",
                  "key": 1680751800000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T05:00:00.000+01:00",
                  "key": 1680753600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T05:30:00.000+01:00",
                  "key": 1680755400000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T06:00:00.000+01:00",
                  "key": 1680757200000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T06:30:00.000+01:00",
                  "key": 1680759000000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T07:00:00.000+01:00",
                  "key": 1680760800000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T07:30:00.000+01:00",
                  "key": 1680762600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T08:00:00.000+01:00",
                  "key": 1680764400000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T08:30:00.000+01:00",
                  "key": 1680766200000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 45
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 91
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 4
                }
              ]
            },
            "2": {
              "value": 55
            },
            "key": "apple.com",
            "doc_count": 549
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 19
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 172
                },
                {
                  "2": {
                    "value": 19
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 184
                },
                {
                  "2": {
                    "value": 12
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 235
                },
                {
                  "2": {
                    "value": 21
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 188
                },
                {
                  "2": {
                    "value": 12
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 120
                },
                {
                  "2": {
                    "value": 12
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 114
                },
                {
                  "2": {
                    "value": 11
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 68
                },
                {
                  "2": {
                    "value": 10
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 34
                },
                {
                  "2": {
                    "value": 8
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 17
                },
                {
                  "2": {
                    "value": 7
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 14
                },
                {
                  "2": {
                    "value": 19
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 119
                },
                {
                  "2": {
                    "value": 10
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 26
                }
              ]
            },
            "2": {
              "value": 34
            },
            "key": "google.com",
            "doc_count": 1291
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 7
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 25
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 49
                },
                {
                  "2": {
                    "value": 9
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 27
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 3
                }
              ]
            },
            "2": {
              "value": 17
            },
            "key": "akadns.net",
            "doc_count": 153
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 3
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 9
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 19
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 25
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 30
                },
                {
                  "2": {
                    "value": 14
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 22
                }
              ]
            },
            "2": {
              "value": 15
            },
            "key": "akamaiedge.net",
            "doc_count": 117
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 6
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T21:00:00.000+01:00",
                  "key": 1680724800000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T21:30:00.000+01:00",
                  "key": 1680726600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T22:00:00.000+01:00",
                  "key": 1680728400000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T22:30:00.000+01:00",
                  "key": 1680730200000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T23:00:00.000+01:00",
                  "key": 1680732000000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T23:30:00.000+01:00",
                  "key": 1680733800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T00:00:00.000+01:00",
                  "key": 1680735600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T00:30:00.000+01:00",
                  "key": 1680737400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T01:00:00.000+01:00",
                  "key": 1680739200000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T01:30:00.000+01:00",
                  "key": 1680741000000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T02:00:00.000+01:00",
                  "key": 1680742800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T02:30:00.000+01:00",
                  "key": 1680744600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T03:00:00.000+01:00",
                  "key": 1680746400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T03:30:00.000+01:00",
                  "key": 1680748200000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T04:00:00.000+01:00",
                  "key": 1680750000000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T04:30:00.000+01:00",
                  "key": 1680751800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T05:00:00.000+01:00",
                  "key": 1680753600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T05:30:00.000+01:00",
                  "key": 1680755400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T06:00:00.000+01:00",
                  "key": 1680757200000,
                  "doc_count": 3
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T06:30:00.000+01:00",
                  "key": 1680759000000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T07:00:00.000+01:00",
                  "key": 1680760800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T07:30:00.000+01:00",
                  "key": 1680762600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T08:00:00.000+01:00",
                  "key": 1680764400000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T08:30:00.000+01:00",
                  "key": 1680766200000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 11
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 25
                }
              ]
            },
            "2": {
              "value": 11
            },
            "key": "aaplimg.com",
            "doc_count": 86
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 11
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 23
                }
              ]
            },
            "2": {
              "value": 11
            },
            "key": "taboola.com",
            "doc_count": 23
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 10
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 20
                },
                {
                  "2": {
                    "value": 5
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 2
                }
              ]
            },
            "2": {
              "value": 10
            },
            "key": "zoom.us",
            "doc_count": 33
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 13
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 3
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 1
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 22
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 9
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 8
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 18
                },
                {
                  "2": {
                    "value": 2
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 2
                }
              ]
            },
            "2": {
              "value": 9
            },
            "key": "apple-dns.net",
            "doc_count": 98
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 7
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 19
                }
              ]
            },
            "2": {
              "value": 9
            },
            "key": "doubleclick.net",
            "doc_count": 41
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 6
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 22
                },
                {
                  "2": {
                    "value": 6
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 38
                },
                {
                  "2": {
                    "value": 8
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 47
                },
                {
                  "2": {
                    "value": 7
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 54
                },
                {
                  "2": {
                    "value": 6
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 15
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 7
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 2
                },
                {
                  "2": {
                    "value": 1
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 4
                },
                {
                  "2": {
                    "value": 4
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 9
                },
                {
                  "2": {
                    "value": 5
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 12
                }
              ]
            },
            "2": {
              "value": 9
            },
            "key": "elastic.co",
            "doc_count": 220
          },
          {
            "1": {
              "buckets": [
                {
                  "2": {
                    "value": 37
                  },
                  "key_as_string": "2023-04-05T16:00:00.000+01:00",
                  "key": 1680706800000,
                  "doc_count": 142
                },
                {
                  "2": {
                    "value": 78
                  },
                  "key_as_string": "2023-04-05T16:30:00.000+01:00",
                  "key": 1680708600000,
                  "doc_count": 245
                },
                {
                  "2": {
                    "value": 79
                  },
                  "key_as_string": "2023-04-05T17:00:00.000+01:00",
                  "key": 1680710400000,
                  "doc_count": 457
                },
                {
                  "2": {
                    "value": 33
                  },
                  "key_as_string": "2023-04-05T17:30:00.000+01:00",
                  "key": 1680712200000,
                  "doc_count": 163
                },
                {
                  "2": {
                    "value": 34
                  },
                  "key_as_string": "2023-04-05T18:00:00.000+01:00",
                  "key": 1680714000000,
                  "doc_count": 156
                },
                {
                  "2": {
                    "value": 25
                  },
                  "key_as_string": "2023-04-05T18:30:00.000+01:00",
                  "key": 1680715800000,
                  "doc_count": 131
                },
                {
                  "2": {
                    "value": 26
                  },
                  "key_as_string": "2023-04-05T19:00:00.000+01:00",
                  "key": 1680717600000,
                  "doc_count": 94
                },
                {
                  "2": {
                    "value": 30
                  },
                  "key_as_string": "2023-04-05T19:30:00.000+01:00",
                  "key": 1680719400000,
                  "doc_count": 115
                },
                {
                  "2": {
                    "value": 30
                  },
                  "key_as_string": "2023-04-05T20:00:00.000+01:00",
                  "key": 1680721200000,
                  "doc_count": 57
                },
                {
                  "2": {
                    "value": 32
                  },
                  "key_as_string": "2023-04-05T20:30:00.000+01:00",
                  "key": 1680723000000,
                  "doc_count": 76
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T21:00:00.000+01:00",
                  "key": 1680724800000,
                  "doc_count": 11
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T21:30:00.000+01:00",
                  "key": 1680726600000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T22:00:00.000+01:00",
                  "key": 1680728400000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T22:30:00.000+01:00",
                  "key": 1680730200000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T23:00:00.000+01:00",
                  "key": 1680732000000,
                  "doc_count": 7
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-05T23:30:00.000+01:00",
                  "key": 1680733800000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T00:00:00.000+01:00",
                  "key": 1680735600000,
                  "doc_count": 7
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T00:30:00.000+01:00",
                  "key": 1680737400000,
                  "doc_count": 9
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T01:00:00.000+01:00",
                  "key": 1680739200000,
                  "doc_count": 11
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T01:30:00.000+01:00",
                  "key": 1680741000000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T02:00:00.000+01:00",
                  "key": 1680742800000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T02:30:00.000+01:00",
                  "key": 1680744600000,
                  "doc_count": 6
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T03:00:00.000+01:00",
                  "key": 1680746400000,
                  "doc_count": 12
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T03:30:00.000+01:00",
                  "key": 1680748200000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T04:00:00.000+01:00",
                  "key": 1680750000000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T04:30:00.000+01:00",
                  "key": 1680751800000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T05:00:00.000+01:00",
                  "key": 1680753600000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T05:30:00.000+01:00",
                  "key": 1680755400000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T06:00:00.000+01:00",
                  "key": 1680757200000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T06:30:00.000+01:00",
                  "key": 1680759000000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T07:00:00.000+01:00",
                  "key": 1680760800000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T07:30:00.000+01:00",
                  "key": 1680762600000,
                  "doc_count": 5
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T08:00:00.000+01:00",
                  "key": 1680764400000,
                  "doc_count": 8
                },
                {
                  "2": {
                    "value": 3
                  },
                  "key_as_string": "2023-04-06T08:30:00.000+01:00",
                  "key": 1680766200000,
                  "doc_count": 10
                },
                {
                  "2": {
                    "value": 114
                  },
                  "key_as_string": "2023-04-06T09:30:00.000+01:00",
                  "key": 1680769800000,
                  "doc_count": 313
                },
                {
                  "2": {
                    "value": 129
                  },
                  "key_as_string": "2023-04-06T10:00:00.000+01:00",
                  "key": 1680771600000,
                  "doc_count": 275
                }
              ]
            },
            "2": {
              "value": 268
            },
            "doc_count": 2398,
            "filters": [
              {
                "meta": {
                  "index": "security-solution-default",
                  "type": "phrases",
                  "key": "dns.question.registered_domain",
                  "params": [
                    "apple.com",
                    "google.com",
                    "akadns.net",
                    "akamaiedge.net",
                    "aaplimg.com",
                    "taboola.com",
                    "zoom.us",
                    "apple-dns.net",
                    "doubleclick.net",
                    "elastic.co"
                  ],
                  "negate": true
                },
                "query": {
                  "bool": {
                    "should": [
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "apple.com"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "google.com"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "akadns.net"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "akamaiedge.net"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "aaplimg.com"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "taboola.com"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "zoom.us"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "apple-dns.net"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "doubleclick.net"
                        }
                      },
                      {
                        "match_phrase": {
                          "dns.question.registered_domain": "elastic.co"
                        }
                      }
                    ],
                    "minimum_should_match": 1
                  }
                }
              }
            ],
            "key": "__other__"
          }
        ]
      }
    }
  },
  "isPartial": false,
  "isRunning": false,
  "total": 3,
  "loaded": 3,
  "isRestored": false
}
@angorayc angorayc added Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore labels Apr 6, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@angorayc
Copy link
Contributor Author

angorayc commented Apr 6, 2023
edited
Loading

Relevant links:
elastic/elastic-charts#1644
#86184
#122329
#101942

@angorayc angorayc mentioned this issue Apr 6, 2023
Merged
1 task
@angorayc angorayc self-assigned this Apr 6, 2023
@angorayc angorayc added the Feature:Lens Charts Security Solution Lens Charts feature label Apr 6, 2023
angorayc added a commit that referenced this issue Apr 12, 2023
@angorayc
[SecuritySolution] Fix DNS histogram query (#154548)
bada04c 
## Summary

This fix below query issues within DNS histogram:
### 1. The terms aggregates field should be
`dns.question.regustered_domain` instead `dns.question.domain`

**Steps to verify:**
- Inspect the chart and observe the query should do terms aggregation on
`dns.question.regustered_domain`
 
**Known issue:**
#154533


<img width="1673" alt="Screenshot 2023-04-06 at 12 40 38"
src="https://user-images.githubusercontent.com/6295984/230366661-bb9ce5d3-7e80-460e-af64-8fbe26521c1c.png">


### 2. It didn't respect `is PTR record included` flag

**Steps to verify:**
- Switch the toggle in DNS tab to `include PTR record`
- Inspect the chart and observe the query should not exclude PTR record
- Click on Add to new Case / Add to existing Case / Open in Lens and
observe the query should not exclude PTR record.




https://user-images.githubusercontent.com/6295984/230366687-8cf0a4dd-beca-46ef-b756-ce898f289c47.mov



### 3. It didn't respect `is PTR record included` when feature flag
`chartEmbeddablesEnabled: is false`

**Steps to verify:**
- Set chartEmbeddablesEnabled to false
- Switch the toggle in DNS tab to `include PTR record`
- Click on Add to new Case / Add to existing Case / Open in Lens and
observe the query should not exclude PTR record.



https://user-images.githubusercontent.com/6295984/230420883-a1541d91-7414-4ce8-9ef5-ffb00e7d174d.mov





**After:**


https://user-images.githubusercontent.com/6295984/230366882-3fe857b0-b3d6-46cf-aaa7-646190ae661f.mov



### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
@angorayc angorayc mentioned this issue May 3, 2023
Closed
41 tasks
@angorayc angorayc mentioned this issue Jun 22, 2023
Closed
@MakoWish
Copy link

Yes, the legend's sort order is now backward from what it has always been (at least on every version we have used in the last ~5 years), and it is counter intuitive. If the selected order is "descending", the largest value should be on top.

@markov00 markov00 mentioned this issue Jun 23, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@angorayc angorayc

Labels
Feature:Lens Charts Security Solution Lens Charts feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@angorayc @elasticmachine @MakoWish